Why letsencrypt.org does not use its own certificates?


#1

Look at the intermediate certificates for this two domains:

  1. letsencrypt.org: TrustID Server Ca A52
  2. community.letsencrypt.org: COMODO RSA Domain Validation Secure Server CA

The only domain using its own certificate is:
helloworld.letsencrypt.org: Let’s Encrypt Authority X1

The answer:
Most probably the servers were up and running before “Let’s Enrcypt Authority X1” was cross-signed and accepted by major browsers. Web site was not willing to start SSL everywhere campain without using SSL on its own web site. I can perfectly understand this.

But now I would expect Let’s Encrypt would issue its own certificates for its own web sites and in this way show how much they trust its own infrastructure.

Being confident what you do, you have to do it first in order other trust what you are doing. This would in my humble opinion increate credibility.

Probably not really hard to do:

  • revoke existing certificates,
  • issue new certificates with “Let’s Encrypt Autority X1” intermediate.

Is there some other reason that I do not understand?

Thanks,
Joe


#2

Revoking the old certificate wouldn’t be necessary.

If LE (as CA) became ever compromised and all certificates would have to be revoked, LE’s actual domains could still be served securely, because they’re not dependent on LE’s intermediate / root certificate.


#3

Let me guess… they are using CloudFlare in front of their website :slight_smile: !?

It’s what I’m also doing on my website https://www.andreagrandi.it
and if you have SSL strict activated, the COMODO ssl certificate will appear instead of the original one, if you are on the free plan.


#4

Sites on CloudFlare Universal SSL present certificates issued from COMODO ECC Domain Validation Secure Server CA 2.

https://letsencrypt.org is on Akamai.
https://community.letsencrypt.org is on Hurricane Electric.


#5

I’m guessing there’s 2 reasons

  1. LE’s is in Public beta status for a reason - the client is still in beta
  2. As client is still in beta, auto renewal in LE client isn’t ready or done yet. I suspect they want to switch over when they can test LE client’s auto renewal capabilities as well.

#6

It really looks like you can’t directly pass whole https network traffic from CloudFlare to your web server in free plan, interesting. https://support.cloudflare.com/hc/en-us/articles/200170416-What-do-the-SSL-options-Off-Flexible-SSL-Full-SSL-Full-SSL-Strict-SSL-Only-mean-


#7

Well, if you’re using CloudFlare’s “protection” mode, it can’t really change the IP for the DNS record based on a protocol. Things just don’t work that way.

You can use CF as your DNS provider and it’ll work just fine direct between the client and your server. Just don’t enable CF’s CDN/protection option for that DNS entry.


#8

I am working on Cloudflare API based changes to protection mode for my Letsencrypt Integration so if anyone has feedback or input would be appreciated Cloudflare API to disable protection = DNS ONLY? :smile:


#9

And now, for something completely different:


#10

guess it’s never too late to start :slight_smile: