Well, there are several things here.

1. Auto renewal is by no means guaranteed. Cronjobs can skip a beat, even on Kubernetes the CertManager operator can fail. Letsencrypt and CertManager are third party software, they change, configs change, APIs can change. I had ~30 environments in a cluster with CertManager autorenewing 1 week before the 3-month deadline. All worked well for 1 year straight, the next year 8 of those environments failed autorenewal, requiring manual intervention. Still no idea why they failed, same cluster, same operator, it kept working for some but not for others. Some of those were business critical, external customers suddenly failed their API calls, etc. Since then I got a star certificate for 2 years, costs a bit but covers all, no overhead.

2. Letsencrypt certifies one thing and one thing alone: that you have access to manage the web server which serves a particular domain. Depending on website purpose that might be enough but then again it might not. If I were to see Letsencrypt on a website with potential financial impact on me, I'd leave. I won't use payment websites / insurance / banking whose SSL doesn't also certify the organisation.

3. The integration strength varies. Basic Nginx is ok, Apache, etc. I trust Traefik a lot because it has adopted Letsencrypt as part of the server itself, it handles everything, renewal, etc (sadly I was forced to use Nginx for my bad experience above). But there are issues ... Traefik & Ambassador can't use automatic renewal when used in a HA environment. Similarly, neither can Nginx and it's also a pain to do it manually.


Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store