What It Costs to Run Let's Encrypt

The transparency about the cost of operating as a CA was great in the begining, expecially with the post https://letsencrypt.org/2016/09/20/what-it-costs-to-run-lets-encrypt.html :

Here’s how our 2017 budget breaks down:

Expense Cost
Staffing $2.06M USD
Hardware/Software $0.20M USD
Hosting/Auditing $0.30M USD
Legal/Administrative $0.35M USD
Total $2.91M USD

But after that, the openness seamed to deteriorate:

In 2017: https://letsencrypt.org/2017/12/07/looking-forward-to-2018.html

In 2018 Let’s Encrypt will secure a large portion of the Web with a budget of only $3.0M

We had originally budgeted $2.91M for 2017 but we’ll likely come in under budget for the year at around $2.65M.

And in 2018: https://letsencrypt.org/2018/12/31/looking-forward-to-2019.html

In 2019 Let’s Encrypt will secure a massive portion of the Web with a budget of only $3.6M.

I was able to find a little more information on the Tax Year 2016 Form 990 from ISRG on IRS.org but I didn’t found other years.

Could ISRG publish publicly the all IRS forms 990 (Return of Organization Exempt from Income Tax) and 1024 (Application for Recognition of Exemption), and any other potentially interesting document?

1 Like

Worth every cent!

1 Like

Ping @josh to have an official answer :slightly_smiling_face:

990s always lag behind a bit but a new one should come out every 12 months or so. The 2017 990 should be available soon through the usual channels.

The expense category ratios in later years are roughly the same as they were in 2017. Staffing costs are dominant, the rest is split roughly equally between the categories we use in 2017. Over time the amount allocated to cloud services has gone up a bit faster than the other categories due to higher log volumes (we use a specialized cloud provider for our short-term log storage and search capabilities because we don’t want to run our own ELK stack) and the fact that we have been working on a cloud-based CT log. In case people don’t know, we do not run any of the core CA infrastructure in the cloud. The infrastructure expenses for the core CA are split up between Hardware and Software and Hosting, but cloud service expenses are all in Hosting.

We decided not to go into that same level of detail after 2017 because as a summary it seemed to create more questions than it really answers. In part that’s because a lot depends on how exactly we categorize certain expenses and that is complicated. Again, the main takeaway is that staffing costs are dominant, and I think we mention that in every post.


Thank you josh for that detailed answer! It completely answer my questions :slightly_smiling_face:

I have an additional question: https://letsencrypt.org/stats/ gives an idea of the number of requests received by Let’s Encrypt, but one metric is missing to get a complete picture of the load / size of the infrastructure needed:

Do you know how many OCSP requests Let’s Encrypt receive in average (Both directly and caught by it’s CDN provider)?

“Our infrastructure also generates and signs around 40 million OCSP responses daily, and serves those responses approximately 5.5 billion times per day.”

That’s from this post:

CDN offload is pretty high, above 90%. I’m not sure what the exact number is at the moment. In terms of resources on our end, obviously the CDN is doing a lot of work. On our end it doesn’t take much compute to sign and serve OCSP, the biggest issue is having enough HSM cryptographic signing capacity. HSMs aren’t cheap or easy to manage.

1 Like

I missed it, shame one me. Thanks!

For ~152M FQDN

And https://letsencrypt.org/2017/12/07/looking-forward-to-2018.html

Our infrastructure also generates and signs nearly 20 million OCSP responses daily, and serves those responses nearly 2 billion times per day.

For ~63M FQDN

And https://letsencrypt.org/2017/01/06/le-2016-in-review.html

We’re currently serving an average of 6,700 OCSP responses per second.

~0.5 billion per day, for ~ 23M FQDN

Full disclosure, I’m writing that: https://github.com/tdelmas/Let-s-Clone , sort of “How to clone Let’s Encrypt”

Has Let’s Encrypt considered using distributed computing and blockchain technologies instead of traditional HSM approaches to offset some of the cost and apply a newage technology stack that could truly open the SSL stack?

  1. at the end, is has to be signed with CA’s private key to be vaild in browsers.
  2. in blockchain model only full nodes can truely validate leaf certificate(transaction), and it’d be 100GB+ , something you can’t fit in most clients.

Please see my thread under Rodimage.

Agreee to keeping it free for certificates, but companies should pay for commercial use if they are chargimg customers for it. If they install a certificate for free, they ahould make a small donation of goodwill and to further your progress to keep it free and for future upgrades.

1 Like

I agree with @orangepizza’s observations about the blockchain question. Also, in the Let’s Encrypt academic paper, we talked about this issue a little bit. See the “Gradual deployment is essential” section on page 2484 of https://dl.acm.org/citation.cfm?id=3363192. Many of the people working on Let’s Encrypt are conceptually enthusiastic about replacing or supplementing the CA system with something else, yet decided that the current Let’s Encrypt model was valuable enough to pursue now in a way that’s compatible with the installed base of TLS clients.