The Web is an important place to secure: a large part of the time we spend online involves sharing pieces of personal information. We can’t let all this data exist on the Internet without securing it, leaving it vulnerable to malicious people. Privacy is one of the most valuable things we all own, because Privacy matters.
Four years ago, securing connections between a client and a server was a difficult to achieve: it required you to generate a CSR 1) for your service, submitting it to an authority, installing it on your server… and paying each year to renew it (at a significant cost!). So, securing the Web wasn’t for everyone.
This situation wasn’t comfortable to anyone: Web Editors wanted a better way to protect their users’ data communications, and users needed better protection of their privacy.
That’s why the Internet Security Research Group started an awesome initiative: offering certificates emitted by a non-profit CERT Authority, allowing it to deliver those certificates for free. Finally, we could secure most of the Internet at no cost!
As a PaaS/Cloud provider, we were one of the first to embed the Let’s Encrypt API to our platform, allowing us to generate an SSL/TLS certificate freely for each of your (sub)domains.
Great power comes with great responsibilities. To avoid serious attacks and to limit the risk of becoming a SPOF 2), Let’s Encrypt quickly put limits on its API and the use of its certificates.
Until its v2 release, you had to issue a certificate for each subdomain you explicitly needed. Because we are a provider, we request the Let’s Encrypt API a lot each day. Unitil now, we were able to work with LE and its limits to provide you with your certificates transparently. Thanks to this new API, we’re now allowed to request wildcard certificates too! It means that we can now issue only one certificate to secure all of the subdomains of a domain.
Here’s how we choose to run it at alwaysdata:
- Each time you add a new subdomain by serving a site/service behind a new URL, we generate an LE certificate for this subdomain for free,
- From the 20th 3) site added, we automatically fall back to a wildcard certificate that will cover the 20th site and all subsequent sites (the 19th first still use their ones),
- You can issue a wildcard certificate at any time, from your administration panel in the Advanced > SSL certificates section, by adding an SSL Certificate and asking for a wildcard LE one.
All these certificates (automatically or manually generated) are handled by our platform and renewed automatically on the Let’s Encrypt API, leaving nothing to do on your side.
Despite the magic of the Let’s Encrypt service, there are still some limitations:
- You can’t use the integrated Let’s Encrypt wildcard issuer if the root domain doesn’t belong to you. I.e. you can still generate a
foo.example.orgsubdomain cert if the
example.orgdomain owner has given you a delegation on the
foosubdomain, but you can’t generate the
*.example.orgwildcard cert, because you don’t own the domain.
- You still can’t use the Let’s Encrypt certificates to protect highly critical communication like financial transfers, as they require the strongest certificates.
For this last use-case, or any other for which you don’t want to rely on the automated Let’s Encrypt certificates, you can still generate a CSR for your service and install a SSL/TLS CERT issued by another authority of your choice.
Being involved in the overall security of the Internet is our commitment as a Cloud Provider. With this new use of the Let’s Encrypt API, we’re happy to help anyone increase the security level of the services they host on our platform.
Oh, and did you know you can even enforce SSL use right from the configuration of your site ;) ?
Notes [ + ]
|1.||↑||Certificate Signing Request is the process of applying for a certificate issued to a Certificate Authority|
|2.||↑||Single Point of Failure|
|3.||↑||This limit is on our side and may change at some point|