Will Let's Encrypts own sites use Let's Encrypt certs?


#1

Just curious: If LE finally works and the root cert is in all major browsers (or at least the cross-signature is there) will the LE websites, like https://letsencrypt.org/ and https://community.letsencrypt.org/ also switch to certificates from Let’s Encrypt?


#2

I’m curious as well, why aren’t they dogfooding themselves?


#3

Our root certificate hasn’t been cross-signed by IdentTrust yet, so any certificates we issued for ourselves would be somewhat useless as nothing would trust them.

Presumably once this cross-signature is in place we’ll either switch to a LE certificate or wait until the existing certificate expires before switching.


#4

You’ll know when something is wrong if you dogfood it.


#5

People want information from the LE sites. If they get a warning they won’t get this information. Putting an LE cert on their sites right now is not wise.


#6

Its not good idea.

Lets make hypothetical case, where Lets Encrypts Root CA Private key leaks. (very unlikely)
So, when Lets encrypts want to make announce for it, it is better NOT use that Root.


#7

Your suggestion appears to have been done now.

The site appears to redirect URLs with www prefix to the unprefixed version, perhaps to avoid needing a separate certificate for www-prefixed domain names. This is an interesting technique that should be in the information given to users. I see in the list of LE-generated certificates many instances of pairs of issued certificates, for websites that do not use this technique.


#8
  1. You do not need another certificate for the www subdomain. You can just use SANs for this.
  2. On LEs own website this is how it is used. One certificate for www.letsencrypt.org and letsencrypt.org is used. This makes it possible that https://www.letsencrypt.org redirects to https://letsencrypt.org.
  3. It is very common (and recommend) to use a cert with at least the www subdomain included as your default one, because there may always be users who type in https://www.<domain>.<TLD> and always users who only type in https://<domain>.<TLD>. (Note that https:// sometimes does not have to be typed in) If you would not do so such users may get scary SSL errors and they do not know what they did wrong.