Blog

Free SSL Certificates from Let's Encrypt

March 9, 2016

We're truly excited to announce that ServerPilot now offers easy, unlimited, free SSL certificates to users on our Coach and Business plans. By making SSL deployment absurdly simple, we're continuing to empower our users to focus valuable time and energy on their businesses and projects.

When you use our new AutoSSL feature, ServerPilot will perform every step of the process needed to issue, deploy, and even renew SSL certificates for each of your apps. When you add a new domain to an app, ServerPilot will automatically authorize the domain with a certificate authority (CA), issue a certificate, and deploy it on your server. Whenever a certificate needs to be renewed, ServerPilot will automatically reissue the certificate and deploy it for you. You'll never have to think about CSRs, keys, authorizations, certificates, intermediate cert bundles, expiration dates, or renewals again.

How Are Free SSL Certificates Possible?

Until now, the only way to get SSL certificates that were trusted by browsers was to pay a CA for each SSL certificate. The cost normally started at $10 per year for single-domain certificates.

The process of obtaining a certificate from one of these CAs was very labor and time intensive. A few CAs offered APIs, but they weren't good APIs and couldn't be used to make SSL certificates truly painless for our users. (We know because we've always dreamed of automatically issuing SSL certificates and have been looking for a CA with a great API.)

Starting in December, a new CA with an entirely different model entered public beta. It's called Let's Encrypt (sometimes stylized as LetsEncrypt). Let's Encrypt is a nonprofit with the goal of making SSL available as widely as possible. Notably, they are also entirely API-based and have designed a beautiful API. There is no way to obtain a certificate from them other than through their API.

Though a nonprofit, Let's Encrypt's future is safe as they've been extremely careful to design a scalable model and have obtained funding and sponsorship from major organizations such as Mozilla, the Electronic Frontier Foundation, Google, and Facebook.

Limitations of Let's Encrypt

Though SSL certificates from Let's Encrypt are completely secure and already trusted by all browsers, Let's Encrypt is still in its early stages. To ensure reliability and scalability, they are enforcing very strict rate limiting and have a few other limitations on the certificates they will issue.

As a result of Let's Encrypt's strict rate limiting, we're not able to offer certificates for subdomains; that is, ServerPilot can issue certificates for registered domains (for example, serverpilot.io and www.serverpilot.io), but we can't issue certificates that include subdomains (for example, foo.serverpilot.io). It is possible that Let's Encrypt will loosen their rate limiting in the future, though whether they do and to what degree isn't certain. [Update: Subdomains are now supported. Let's Encrypt came out of beta in April 2016 and loosened rate limits.]

Additionally, Let's Encrypt does not currently plan to offer SSL certificates for wildcard domains (for example, *.serverpilot.io).

Internationalized domain names (IDNs) are not yet supported by Let's Encrypt, but they do intend to add support for them in the future. [Update: Let's Encrypt began supporting IDNs in October 2016.]

Despite these limitations, we're extremely grateful to the team behind Let's Encrypt for everything they've already done to improve the state of security on the Web. We support them in their decision to grow slowly and carefully to ensure they can keep offering a great, reliable service.

Get Started with AutoSSL

If you're already a ServerPilot Coach or Business user, log in to enable AutoSSL for your apps. If you're a Free plan user, AutoSSL will be available immediately once you upgrade.

You can also find more information in our article on using AutoSSL.