Shedding light upon this service is almost as awesome as the service itself. Thank you Tom, the internet thanks you!

letsencrypt is the best. My website uses Traefik reverse proxy with automagic LetsEncrypt integration using DNS challenge. Once its set up, I don't have to think about anything. It just works.

Thank you for giving me a better understanding on this

If you don't like your Let's Encrypt certificate, I'll personally triple your money back.

One difference worth mentioning is the info that is in the TLS cert. When you go through a conventional CA, they verify your identity (e.g. company name), and that info is shown in the cert when a user asks for details from the browser. Since Let’s Encrypt does not validate this information (or even ask for it), it can show nothing in the cert apart from your domain name. So all one of their certs is actually certifying is that the site you are connecting to is the actual owner of the domain name, nothing more or less.

Tom, it is my understanding that the EV was originally brought in also to allow the browser address bar to change to a green background when it was on a site that had a valid EV certificate - a visual indicator to the web-site customer that it was good and not a dodgy site. The financial institution I work for spends quite a bit if time & effort assisting our customers in matters of internet security and the fact that the browser manufacturers are now moving away from highlighting an EV certificate is annoying.

Lawrence, Today, before I watched your video, I uninstalled the ACME and the HAProxy packages from my pfSense. For days, I have tried to make them work. HAProxy worked very well fowarding HTTP traffic, but I could not make it foward the HTTPS traffic (even without SSL Termination and new encryption) to the backend server. It was very, very buggy. The ACME package worked flawlessly using a STAGING key. But did not work at all with the production key. "Authorization must be pending" apeared in the logs among other things. - Could you please make a complete video? I mean creating a staging key and then a final production key? - Could you show the creation of the staging certificate and then the creation of the final production one? - Could you show SSL offloading and new encryption to the backend server? - Could you show a complete Frontend (I tried with two) with the Lua script for Webroot local folder validation and forwarding all HTTP traffic to HTTPS? This way, only port 443 wold be open on the backend server. - Could you show verification (CRL) of the backend server certificate really working? After days, my conclusion is that both packages (HAProxy and ACME) are not in production stage. At least not in this version of pfSense. PS: I watched the oficial Netgate videos about both of then, and watched an entire online course on HAProxy.

Love LetsEncrypt, all of my servers run their certs

Great video, thanks. I had heard of Let's Encrypt before but didn't look into it until I saw your video. I self host a couple of webapps from my home server and have now replaced my GoDaddy cert with a Let's Encrypt cert. Was super easy to setup and free. No brainer.

I'm wondering.. Is it acceptable to ask you for a detailed tutorial on how to install and secure a webserver (Apache) on Linux, and also in another video how to set up let's encrypt reliable and automatic re-new cert.?

many isp's block port 80 for residential connections. So if that's the case, you won't be able to use Let's Encrypt

I watch so many of your videos if they're not t completely over my head. It just amazes me how fast your mind and your mouth work in concert. I have to wonder just how your employees can keep up with you once you get going. LOL. Sometimes, when I really want to get something, I'll set the speed to 75% so I can get it all. That's pretty funny too, because it makes you sound like you've had a 3 martini lunch.

What do you use for an internal PKI environment? Offline root CA, HSM? Any recommendations for a homelab/small business?

Super coverage on this. I will be looking into Let's Encrypt since I just purchase a domain for my LAN.

I would not call a DV CA which has not used multiple perspectives for a long time "abzulotsende secure", it's more minimum acceptable security. If you control the clients it's good to add some extra protection like certificate pinning and monitor the CT logs closely as CAA record seems not to be honored in terms of letsencrypt accounts. (Issuer Account Tag)

This clears up a lot. Thanks Tom!

Big thanks to Lawrence and hello from Moscow '-)

I'm trying to find out how to extend beyond 10 ssl certificates. First 10 are free but beyond that I'm at a lose. I don't mind paying for that luxury. Any ideas??

4:56 One problem that I’m not sure has been solved is that any CA can issue a cert for any domain. Thus, one dodgy CA can undermine the whole system by issuing bogus certs for sites that everybody uses.

Use it on unifi controller and unifi video. Going to set it up on 3CX soon ( its used by default for none custom domains ) . No reason to noe use https nowadays. It should be the default. Honestly, should just phase out none https.

6:05 Unless it's Godaddy, they charge an arm and a leg and everything in your pocket to give you SSL. I get mine from Cloudflare.

Only issue I have had is when my certs expire through my hosting provider they do not seem to auto-renew at least not that I can see not sure why

Would the LetsEncrypt be something I could use home when learning about AD CA on server 2016? or is this just for Linux?

Even worse than "lots of sniffing" where Internet- and Mobile Providers who injected tracking cookies and scripts or advertising. You really do your users a service if you offer only HTTPs, even on public and non-sensitive sites. (Not to mention you get Google SEO Charma)

8:12 Certs are not normally tied to IP addresses. Not sure if Let’s Encrypt even allows that.

Thanks for the great video Tom! I understand Google tends to keep their 'secret sauce'... well, secret... but do you have a sense of if/how having an EV or OV certificate might help with your Google Search results on a small e-commerce* site? *the site doesn't process transactions itself

Could you use this to replace Cisco ASA or Routers expired certs, Or would you ?

Thank you Tom, how to get a certificate for FreeNas? Can you release the next videos on this subject?

Very informative video, thanks so much...

Hi Tom. Looking forward for the up coming videos. Would love to have certs for my home network setup. Many thanks.

Great topic and content, thanks Tom!

Could you please do a video showing how you would enable LetsEncrypt on a Unifi Cloud key with a dyndns FQDN. Thank you

Woohoo.. my 2 pihole servers, unifi controller and wordpress sites are all domain validated by letsencrypt.. works like clockwork..

Lawrence freenas is good with acting like a CA ?

Good stuff.

This made me think... is there an open source/free 2FA solution?

sea doggo 🐿️🤣

A piece of crap. It destroyed my website..

Im curious if i could get ssl cert for my ddns name like stomething.ddns.net

hate to burst your bubble but the government sees your traffic from the core before the ISP