Written by

The Web is an impor­tant place to secure: a large part of the time we spend online involves shar­ing pieces of per­son­al infor­ma­tion. We can’t let all this data exist on the Internet with­out secur­ing it, leav­ing it vul­ner­a­ble to mali­cious peo­ple. Privacy is one of the most valu­able things we all own, because Privacy mat­ters.

Securing the Web for Everyone: A Tale of Privacy

Four years ago, secur­ing con­nec­tions between a client and a serv­er was a dif­fi­cult to achieve: it required you to gen­er­ate a CSR 1) for your ser­vice, sub­mit­ting it to an author­i­ty, installing it on your serv­er… and pay­ing each year to renew it (at a sig­nif­i­cant cost!). So, secur­ing the Web wasn’t for every­one.

This sit­u­a­tion wasn’t com­fort­able to any­one: Web Editors want­ed a bet­ter way to pro­tect their users’ data com­mu­ni­ca­tions, and users need­ed bet­ter pro­tec­tion of their pri­va­cy.

That’s why the Internet Security Research Group start­ed an awe­some ini­tia­tive: offer­ing cer­tifi­cates emit­ted by a non-prof­it CERT Authority, allow­ing it to deliv­er those cer­tifi­cates for free. Finally, we could secure most of the Internet at no cost!

As a PaaS/Cloud provider, we were one of the first to embed the Let’s Encrypt API to our plat­form, allow­ing us to gen­er­ate an SSL/TLS cer­tifi­cate freely for each of your (sub)domains.

v2: When Things Becomes Serious

Great pow­er comes with great respon­si­bil­i­ties. To avoid seri­ous attacks and to lim­it the risk of becom­ing a SPOF 2), Let’s Encrypt quick­ly put lim­its on its API and the use of its cer­tifi­cates.

Until its v2 release, you had to issue a cer­tifi­cate for each sub­do­main you explic­it­ly need­ed. Because we are a provider, we request the Let’s Encrypt API a lot each day. Unitil now, we were able to work with LE and its lim­its to pro­vide you with your cer­tifi­cates trans­par­ent­ly. Thanks to this new API, we’re now allowed to request wild­card cer­tifi­cates too! It means that we can now issue only one cer­tifi­cate to secure all of the sub­do­mains of a domain.

Here’s how we choose to run it at always­da­ta:

  1. Each time you add a new sub­do­main by serv­ing a site/service behind a new URL, we gen­er­ate an LE cer­tifi­cate for this sub­do­main for free,
  2. From the 20th 3) site added, we auto­mat­i­cal­ly fall back to a wild­card cer­tifi­cate that will cov­er the 20th site and all sub­se­quent sites (the 19th first still use their ones),
  3. You can issue a wild­card cer­tifi­cate at any time, from your admin­is­tra­tion pan­el in the Advanced > SSL cer­tifi­cates sec­tion, by adding an SSL Certificate and ask­ing for a wild­card LE one.

All these cer­tifi­cates (auto­mat­i­cal­ly or man­u­al­ly gen­er­at­ed) are han­dled by our plat­form and renewed auto­mat­i­cal­ly on the Let’s Encrypt API, leav­ing noth­ing to do on your side.

Going beyond the limits!

Despite the mag­ic of the Let’s Encrypt ser­vice, there are still some lim­i­ta­tions:

  • You can’t use the inte­grat­ed Let’s Encrypt wild­card issuer if the root domain doesn’t belong to you. I.e. you can still gen­er­ate a foo.example.org sub­do­main cert if the example.org domain own­er has giv­en you a del­e­ga­tion on the foo sub­do­main, but you can’t gen­er­ate the *.example.org wild­card cert, because you don’t own the domain.
  • You still can’t use the Let’s Encrypt cer­tifi­cates to pro­tect high­ly crit­i­cal com­mu­ni­ca­tion like finan­cial trans­fers, as they require the strongest cer­tifi­cates.

For this last use-case, or any oth­er for which you don’t want to rely on the auto­mat­ed Let’s Encrypt cer­tifi­cates, you can still gen­er­ate a CSR for your ser­vice and install a SSL/TLS CERT issued by anoth­er author­i­ty of your choice.


Being involved in the over­all secu­ri­ty of the Internet is our com­mit­ment as a Cloud Provider. With this new use of the Let’s Encrypt API, we’re hap­py to help any­one increase the secu­ri­ty lev­el of the ser­vices they host on our plat­form.

Oh, and did you know you can even enforce SSL use right from the con­fig­u­ra­tion of your site ;) ?

Notes   [ + ]

1. Certificate Signing Request is the process of apply­ing for a cer­tifi­cate issued to a Certificate Authority
2. Single Point of Failure
3. This lim­it is on our side and may change at some point