The Let’s Encrypt SSL certs
are free for anybody, as long as you have:
- The rights to modify the DNS record of the designated domain.
- Or, the privilege to run web application(and serve the challenge content) on port 80/443(from the public Internet point of view, if behind NAT).
The problem
is the certs issued will expire every three months, means you’ll have to renew it more frequently than commercial certs.
One may think about automating the process, usually easy, until you find yourself trying to access sensitive part of your security system(where private key and cert should be living) without human supervision meanwhile risking take off the living production system automatically as well.
The answer
might be deploying the new key/cert pair automatically and do validation manually before switching with a press of button.
But even if a reverse proxy, say Nginx or Stunnel is used to ease the process, with the minimal possible infrastructure supporting it, for example Docker, the cost may still be too high to afford.
You can probably write another handful of posts within that 20 minutes spent on check if the new cert is actually working properly with your existing setup, not to mention the effort invested in building the automation tools(and debugging/maintaining them, duh!).
The conclusion
I personally believe that Let’s Encrypt is still hobbyist oriented tool, not production ready option.