2.15.1.1.1. Free certificate from Let's Encrypt
Let's Encrypt — an automated certification authority providing Available SSL certificates for websites. The goal of this project is to improve the level of security of sites everywhere, since the HTTPS protocol allows the transfer of data from the client to the server in an encrypted form, which makes it impossible to get this data to third parties.
The certificate is issued completely automatically, but requires some basic knowledge of server administration. On our hosting installation certificate is even simpler and does not require additional knowledge, you just need to submit an installation request. For new sites, the certificate is installed automatically for some time after their creation, if all conditions to get it.
During the certificate installation process, Let's Encrypt checks and validates the domain name and website by sending a series of queries or using DNS records. The process of issuing/revoking certificates is described in more detail at official website.
Differences from commercial certificates
Let's encrypt certificates have a number of differences from paid certificates:
- Financial guarantee — Let's Encrypt is a non—profit company and does not provide any compensation in the event of a hacked certificate. Third—party companies generally provide some compensation in the event of problems with the security of their certificates.
- Safety — certificates from Let's Encrypt have only DV—verification (Domain Validation), in which only the domain name is verified. Third—party CAs can issue certificates that have additional levels of validation, such as OV SSL (Organization Validation) and EV SSL (Extended Validation), thereby providing higher security and a special kind of certificate in the browser bar (display depends on the browser).
- Certificate validity period — SSL certificates from Let's Encrypt have a validity period of 90 days, after which it must be obtained again. Third—party companies provide certificates for a period of 1 year or more. (Our dashboard provides a short SSL validity period from Let's Encrypt and a new certificate is installed on the site before its expiration, thereby ensuring that the current certificate is always available.)
- Payment systems support — Let's Encrypt's certificate uses SNI (Server Name Identification) technology, which allows you to install multiple certificates on one IP address. A large number of payment systems do not work with this technology, due to which it may not be possible to connect such payment systems on the site for making electronic payments.
Conditions for receiving
Important points:
- Automatic certificate installation is available only for sites on virtual and businesshosting.
- The certificate installation request is processed automatically, usually it takes no more than an hour.
- For subdomains of one domain, you can write out no more than 20 certificates per week.
- The certificate is issued for 3 months and is automatically renewed if the conditions described below are met.
- The ability to automatically install a certificate is not available for sites hosted on VPS, dedicated servers or hosted by other companies.
- The certificate cannot be issued for subdomains with the symbol
_In the title. - If the site has added 10 or more subdomains (including www), only wildcardcertificate.
- If the domain settings have CAArecord, then this entry must not prevent the Let's Encrypt CA from issuing SSL certificates.
Certificate for a domain or subdomain
Conditions for obtaining a certificate for a domain or subdomain:
- The domain must be working and correct directed to our hosting (v domain settings address records for addresses with www and without www must be specified the current IP addresses of the hosting account).
- The site must be accessible and a 200 server response must be returned when accessing it.
- The site should not be installed access restrictions.
- The domain for which you are applying for a certificate should not be on the list of malicious Google Safe Browsing.
If the site has aliasesto be included in the certificate, the same conditions must be met for them.
Wildcardcertificate
Conditions for receiving wildcardcertificate:
- The domain must be working and served on our NS.
- V site settings should be enabled processing requests to non-existent subdomains.
- When submitting an installation request, be sure to agree to include the alias * .example.com in the certificate, where your domain will be instead of example.com.
- If the site has aliasesto be included in the certificate, the same conditions must be met as for installation certificate for domain or subdomain.
- The domain for which you are applying for a certificate should not be on the list of malicious Google Safe Browsing.
Installation
If the task is to obtain a wildcard certificate, before applying for installation, enable processing requests to non-existent subdomains.
- Openup SSL settings.
- Click on the button to install the certificate:If the certificate is not installed, then on the tab «Free Let's Encrypt Certificate» click «Set»:
If you already have an installed certificate, but you need to issue a new certificate by Let's Encryptthen press «issue only Let's Encrypt certificate»:
If you receive a notification about the need to direct the domain to the IP of the hosting account, read this information. - If the site has aliases, indicate whether you want to include their addresses in the certificate:If there is only one alias:
If there are several aliases:
If a wildcard certificate is installed:
- Wait for the application to be completed:
