Skip to content
W WikiWalls
Article Issue #5236

Let’s Encrypt

What to know

Let's Encrypt is a nonprofit certificate authority operated by the Internet Security Research Group (ISRG) that provides free, domain-validated TLS certificates via an automated protocol called ACME (Automated Certificate Management Environment); The ACME client on the server requests a certificate by proving control of the domain through one of two challenge types: HTTP-01 (placing a file at a well-known URL on the domain) or DNS-01 (creating a specific TXT record in the domain's DNS zone); Let's Encrypt integrations in Caddy and Traefik work automatically with no configuration beyond specifying an email address for expiry notifications

Let's Encrypt, WikiWalls Glossary illustration
Wikiwalls Team Administrator
2 min read Subscribe to the Journal
« Back to Glossary Index

Let’s Encrypt is a nonprofit certificate authority operated by the Internet Security Research Group (ISRG) that provides free, domain-validated TLS certificates via an automated protocol called ACME (Automated Certificate Management Environment). Since launching in 2015, it has become the largest CA by issuance volume, having issued certificates for hundreds of millions of domains. Its existence eliminated the primary cost barrier to HTTPS adoption and is the reason nearly all self-hosted web services can run HTTPS without paying for certificates.

How it works

The ACME client on the server requests a certificate by proving control of the domain through one of two challenge types: HTTP-01 (placing a file at a well-known URL on the domain) or DNS-01 (creating a specific TXT record in the domain’s DNS zone). Let’s Encrypt’s servers verify the proof, and if valid, sign a certificate with a 90-day validity period. ACME clients (Certbot, acme.sh, or the built-in ACME support in Caddy/Traefik) automate renewal approximately 30 days before expiration. The 90-day certificate lifetime is intentional, encouraging automation and limiting the exposure window for compromised certificates.

Key facts

  • Rate limits: Let’s Encrypt imposes rate limits: 50 certificates per registered domain per week, and 5 failed validation attempts per account per hour
  • Staging environment: letsencrypt.org provides a staging CA for testing ACME integrations without consuming production rate limits
  • ZeroSSL alternative: ZeroSSL offers another free ACME-compatible CA that serves as a redundancy option if Let’s Encrypt is unreachable

For builders

Let’s Encrypt integrations in Caddy and Traefik work automatically with no configuration beyond specifying an email address for expiry notifications. The main operational concern for self-hosters is rate limits: developing and testing ACME provisioning should always target the Let’s Encrypt staging environment to avoid exhausting production rate limits. Services accessible only via Tailscale or Cloudflare Tunnel (not directly on the public internet) typically use Cloudflare’s certificate provisioning or a self-signed CA instead.

Sources

« Back to Definition Index
If this saved you an afternoon — subscribe to the Journal and we will send the next one straight to your inbox.
Wikiwalls Team
Administrator · 41 published guides · Joined 2016

Welcome to wikiwalls

More from WikiWalls

AI & APIs

Cursor vs Copilot vs Cody vs Windsurf, after a 30-day production diary

May 14, 2026 · 24 min read
AI & APIs

The Cheapest Production-Grade LLM, ranked at constant output quality

May 13, 2026 · 16 min read
Self-Hosted

Best Mini-PC for Homelab: Beelink, Minisforum, GMKtec Tested

May 11, 2026 · 5 min read
AI & APIs

Best AI Note Apps: Mem vs Reflect vs Tana vs Saner.ai

May 11, 2026 · 6 min read
The WikiWalls Journal · Free, weekly

One careful fix in your inbox each Wednesday.

No affiliate links inside the diagnosis. No sponsored "top 10". One careful fix per week — unsubscribe in one click.

No tracking pixels · No spam · Edited by a human.