Let’s Encrypt and DNSimple
Table of Contents
- What makes Let’s Encrypt different
- Differences between Let’s Encrypt and Sectigo SSL certificates
- Let’s Encrypt highlights
- DNSimple’s Let’s Encrypt integration
- DNSimple platform details
- Taking action
- Have more questions?
- Related reading
Let’s Encrypt is a certificate authority (CA) that was launched in late 2015 and became an official member of the CA/Browser Forum in 2016. Let’s Encrypt revolutionized the SSL certificate landscape by making certificates free and easily accessible.
What makes Let’s Encrypt different
Let’s Encrypt’s three distinguishing characteristics are free, automated, and open:
- Free: Let’s Encrypt SSL certificates are free. They don’t charge per certificate, making SSL encryption accessible to everyone.
- Automated: Let’s Encrypt’s issuance process is fully automated. They developed an issuance protocol called ACME (Automated Certificate Management Environment) that’s designed to work without manual intervention.
- Open: The source code of Let’s Encrypt’s certification authority is completely open source and available in a GitHub account, promoting transparency and community involvement.
Differences between Let’s Encrypt and Sectigo SSL certificates
This table summarizes the most important differences between Let’s Encrypt and Sectigo SSL certificates:
| Let’s Encrypt | Sectigo | |
|---|---|---|
| Certificate Expiration | 90 days | 200 days |
| Single names | Supported | Supported |
| Wildcard names | Supported | Supported |
| Multi-domain (via SAN) | Supported by default | Supported only by specific products |
| Max SAN domains | 100 | Depends on the CA and product |
| Validation type | DV only | DV, OV, EV |
| Cost | Free | Depends on the CA and product |
| Limits | Per-domain, Per-week limits | N/A |
Let’s Encrypt highlights
Let’s Encrypt is different from most traditional CAs. Here are a few notes and limitations to keep in mind before requesting one of their SSL certificates:
- Let’s Encrypt only issues domain-validated SSL certificates. There is no plan to support OV or EV certificates.
- Let’s Encrypt provides only one type of certificate: domain-validated certificates that use the Subject Alternative Name (SAN) extension. They support both single-name and wildcard names, and even certificates that protect only one hostname still use the SAN extension.
- A single Let’s Encrypt certificate can include up to 100 SAN names. Names can be single-name, wildcard names, or both.
- Let’s Encrypt certificates have a fixed expiration period of 90 days. You cannot request a certificate with a longer expiration. As of March 2026, Sectigo certificates are valid for a maximum of 200 days. For more details, see SSL Certificate Validity Changes (2026 - 2029).
- Let’s Encrypt certificates are compatible with major browsers and trusted by all major root programs.
- Let’s Encrypt certificates are domain-validated. The most common validation mechanisms are DNS-based and HTTP-based. They do not support traditional email-based validation.
- Let’s Encrypt rate-limits requests. Understand their limits before requesting a large number of certificates.
Some Let’s Encrypt capabilities may not be supported by DNSimple. Check the limitations section to learn which capabilities are supported.
DNSimple’s Let’s Encrypt integration
DNSimple integrates with Let’s Encrypt to provide free SSL certificates.
DNSimple automates certificate issuance and renewal, but certificate installation is still completed separately after the certificate is issued.
Requirements for Let’s Encrypt certificates
To request an SSL certificate with Let’s Encrypt through DNSimple, the domain must be delegated to and exclusively resolving with DNSimple. Let’s Encrypt certificates are not compatible with Secondary DNS configurations because DNSimple needs to create DNS records for validation. The domain doesn’t need to be registered with DNSimple, only resolving with it.
Automated validation process
The certificate validation is completely automated using DNS-based challenges. DNSimple automatically creates the required DNS records (ACME challenge records) for validation. Once the certificate is issued, you’ll receive an email and webhook notification. The certificate is then available to download from your DNSimple account.
Note
ACME challenge records (e.g., _acme-challenge.subdomain.example.com) may create Empty Non-Terminals (ENTs) in your DNS zone. If you’re using wildcard records, this may affect DNS resolution for intermediate domain names. Learn more about wildcards and ENTs.
Certificate expiration and auto-renewal
Let’s Encrypt certificates expire after 90 days. DNSimple supports automatic renewal for Let’s Encrypt certificates. When auto-renewal is enabled, DNSimple handles the renewal and re-validation process automatically, issuing a replacement certificate before the current one expires.
For details on how auto-renewal works – including when it runs, what happens when it fails, and how it interacts with shorter certificate lifetimes – see How Auto-Renewal Works for SSL Certificates.
Tip
Although Let’s Encrypt certificates can be installed manually, the issuance and renewal process is designed to be automated. You can use the DNSimple certificate API to fetch the certificate and install it programmatically.
DNSimple platform details
Supported capabilities
- DNS-based validation only: DNSimple supports DNS-based validation for Let’s Encrypt certificates. HTTP or TLS-SNI challenges are not supported.
- Same-domain SAN: DNSimple supports including multiple names from the same domain in a certificate’s SAN. Names from different domains cannot be included in the same certificate.
- Automatic CSR generation: DNSimple automatically generates the CSR and private key for Let’s Encrypt certificates. Custom CSRs are not supported.
- Plan-based options: The ability to customize certificate names and SAN entries depends on your DNSimple plan. Check the plans and pricing page for details.
Limitations
DNSimple does not support all Let’s Encrypt capabilities. Some limitations exist due to design decisions or system constraints:
- Custom CSRs and private keys are not supported for Let’s Encrypt certificates
- Only same-domain names (subdomains) can be included in certificate SANs
- The domain must be resolving with DNSimple for validation to work
- Let’s Encrypt is not available in DNSimple’s sandbox environment for testing
Taking action
- Ordering a Let’s Encrypt Certificate - Step-by-step guide to ordering a Let’s Encrypt certificate
- Renewing a Let’s Encrypt SSL Certificate - Learn how to renew Let’s Encrypt certificates
- Renewing an SSL Certificate - General renewal process information
Have more questions?
If you have additional questions or need any assistance with Let’s Encrypt certificates in DNSimple, just contact support, and we’ll be happy to help.
Related reading
- What is a Certificate Authority? - Understand the role of CAs in certificate issuance
- Sectigo vs Let’s Encrypt SSL Certificates - Compare Let’s Encrypt with traditional certificate authorities
- How does an SSL Certificate Renewal work? - Learn about the renewal process
- How long does it take to issue an SSL certificate? - Understand issuance timelines
- SSL Certificate Types - Explore different certificate classifications