2016 has been one of the most important years for the HTTPS protocol. It marked the end of SHA1 certificates (although there are still some exceptions), most browsers started to announce HTTPS-only features, there is increasing interest in HTTP/2 which will likely be HTTPS-only, and TLS 1.3 is under active development.
2016 also registered one of the largest increase of HTTPS sites to date, thanks to Let's Encrypt joining the current list of Certificate Authorities and using an innovative approach to certificate issuance (called the ACME protocol).
Today, we are happy to announce the public beta of our custom integration with Let's Encrypt ™ within the DNSimple platform.
Let's Encrypt ™ is a trademark of the Internet Security Research Group. All rights reserved.
How does it work?
The Let's Encrypt integration allows DNSimple customers to request a free certificate issued by the Let's Encrypt certification authority for any domain managed with DNSimple.
Validating and issuing SSL certificates with Let's Encrypt is completely automated, thanks to the ACME protocol DNS challenge. Once you request a Let's Encrypt certificate, DNSimple will automatically provision the DNS records required to validate the domain and submit the validation request to Let's Encrypt.
For now we are only supporting DNS-based domain validation, thus the domain must be managed with DNSimple, and must use our name servers, in order to request a certificate via Let's Encrypt.
Once a certificate is issued, DNSimple will automatically send you an email with the instructions to download a certificate. If you configured a webhook, we will also notify your webhook URL when the certificate is ready.
Let's Encrypt certificates expires in 90 days. If you enable auto-renewal, DNSimple will automatically attempt to renew the certificate 30 days before the expiration, as long as your account is active. Although not strictly necessary, we highly recommend you consider automated deployment of new certificates with Let's Encrypt using our webhooks.
Can I continue to use other third-party integrations?
Yes, of course. In the last year, several custom-made integrations using the DNSimple and Let's Encrypt APIs were released. Some notable examples are:
- LEGO: A Go ACME client with built-in support for DNSimple
- letsencrypt-dnsimple in Ruby
- letsencrypt-dnsimple in Go
If you are using any of these tools to provision the DNS records via DNSimple, and request a Let's Encrypt certificate, you can continue to use the tool, or switch to the new official integration if it fits your needs.
Do you support all the Let's Encrypt / ACME features?
We support most of the Let's Encrypt / ACME features. However, our integration has some technical limitations. For instance, the domain must be resolving with DNSimple in order to be able to automatically provision the DNS records required to validate your domain.
Moreover, we currently do not support the use of the HTTP or HTTPS-SNI challenges. We also currently do not allow the use of custom private keys (and custom CSRs).
More details are available at the Let's Encrypt support page.
What about the other certificates
We will continue to offer traditional single-name and wildcard-name SSL certificates, in addition to the Let's Encrypt certificate.
In fact, we are aware that Let's Encrypt doesn't necessarily cover everyone's needs. Some of you may prefer multi-year SSL certificates, or wildcard certificates. Neither multi-year nor wildcard certificates are supported by Let's Encrypt.
The Let's Encrypt integration opens the door to new ways to automate provisioning of SSL certificates that were not possible before.
You can now request an SSL certificate at DNSimple via Let's Encrypt, and automatically provision or update it using our API v2 and the auto-renewal feature.
Our plan is to continue to improve the integration of Let's Encrypt in our API to allow you to request and deploy a certificate using our API clients or other provisioning tools, such as Chef and our Chef cookbook.
As always, if you have any questions or feedback feel free to let us know via support.