Salman's OpLog

Let’s Encrypt is free, but is it really safe?Let’s Encrypt h...

Let’s Encrypt is free, but is it really safe?

Let’s Encrypt has changed the internet—for better and worse. It democratized HTTPS, no doubt. A few lines of shell and your site is green-locked. But we don’t talk enough about its trade-offs. And after self-hosting for years, I’ve seen enough edge cases to have a solid opinion: Let’s Encrypt isn’t as secure as we pretend it is.

Let me explain.

1. Domain validation is just a low bar
Let’s Encrypt only checks if you “own” the domain via DNS or HTTP validation. That’s fine for personal projects, but it opens doors for phishing sites, malicious mirrors, and scam clones to get green-locked with zero scrutiny. Users think a padlock = safe. That’s not true. They just bought a domain, added DNS records, and now they have the same certificate UX as a real banking site.

2. Expiry every 90 days sounds good, until it breaks in production
Short-lived certs are cool in theory. But if you’re running a self-hosted service, you know how brittle the automation can get. One cron job fails, one DNS hiccup, one missed renewal—and your service goes down with “SSL_ERROR_BAD_CERT_DOMAIN”. I’ve seen open-source dashboards, internal APIs, and even e-commerce sites go down silently because of auto-renew gone wrong.

3. MITM still happens, but now with HTTPS
I’ve seen cases where compromised servers served malware under legit Let’s Encrypt certs. And most users wouldn’t even question it because the padlock was green. Let’s Encrypt doesn’t audit content. It doesn’t verify who you are. It’s just domain-control. That’s it.

4. Abuse at scale
A single bad actor can register 50 domains, get certs in seconds, and set up a phishing farm—all looking “secure.” Try doing that with paid certificates that involve organization validation. Let’s Encrypt made attacks faster and harder to detect. And while they have rate-limiting and revocation systems, they’re reactive, not preventive.

What do I use instead?
In most of my serious projects, I use Cloudflare’s Origin Certificates or paid DV/OV certs, depending on the use case. They last longer, offer better API controls, and give me less anxiety during deployments. Also, if you’re in DevOps, the fewer moving parts that break silently, the better.

To be clear—Let’s Encrypt isn’t bad. It’s necessary. It brought HTTPS to billions. But if you’re building something serious—something where uptime, trust, and security really matter—don’t blindly go for “free.” Sometimes free costs more in the long run.



#OpLog Day 6