fairlane.systems

TLS · SECURITY & OPS

SSL/TLS certificates with Lets Encrypt: TLS 1.3, HTTP/3, and auto-renew for SMEs 2026

Free TLS certificates with 90-day validity, auto-renew via Certbot or Caddy, TLS 1.3 plus HTTP/3 as the 2026 standard.

Researched & fact-checked by: · As of: 2026-05

What are SSL/TLS certificates?

An SSL/TLS certificate is a digital identity document with three jobs: it confirms the identity of a domain to a visitor, it enables an encrypted connection between browser and server, and it guarantees the integrity of the data in transit. The term SSL dates from the 1990s; todays protocols are correctly called TLS - Transport Layer Security. SSL 3.0 and all TLS versions below 1.2 have been classified as insecure for years.

Certificates are issued by a Certificate Authority (CA). Until 2015 every certificate was paid (typically USD 100 to 500/year for single-domain, USD 1500+ for EV or wildcard). Lets Encrypt, a non-profit CA, changed that: free, automated certificates for any domain whose control the applicant can prove. As of May 2026 Lets Encrypt has issued more than 400 million active certificates by its own count - the largest single share of all web certificates worldwide.

The Lets Encrypt model has two peculiarities. First, certificates are valid only 90 days (versus 1 to 3 years at commercial CAs in the past; the CA/Browser Forum also decided in 2025 to set a 47-day maximum for commercial certificates from 2027). Second, renewal must be automated - manual renewal is not practical.

Why it is mandatory

Unencrypted HTTP is no longer operable in 2026. Chrome, Firefox, Safari, and Edge mark HTTP pages as insecure, search engines penalise them in ranking, and browsers warn on every form entry. For an SME that means: no client login, no order, no newsletter subscription, no credibility without HTTPS.

The legal dimension follows. Swiss FADP Art. 8 has required appropriate security according to the state of the art for personal data in processing and transmission. The FDPIC has clarified in its guidelines: TLS 1.2 minimum, TLS 1.3 recommended, no weak cipher suites. GDPR Art. 32 (security of processing) is equivalent. FINMA explicitly requires modern TLS in circulars for banks and insurers. PCI DSS requires at least TLS 1.2 with forward secrecy for card-processing sites.

The third driver is performance. TLS 1.3 reduces the handshake from two round trips to one, HTTP/2 lets multiple parallel requests share a single TCP connection, HTTP/3 (QUIC) over UDP eliminates head-of-line blocking - all only with TLS. An SME website without modern TLS configuration is noticeably slower than the competition in 2026.

How Lets Encrypt and the TLS handshake work

ACME protocol. Lets Encrypt uses ACME (Automatic Certificate Management Environment, RFC 8555). A client - typically Certbot or Caddy - registers with Lets Encrypt, requests a certificate for a domain, and proves domain control through a challenge. Three challenge types exist:

- HTTP-01: the client places a file under /.well-known/acme-challenge/ on the web server, Lets Encrypt fetches it over HTTP. Works only for single-domain certificates. - DNS-01: the client sets a TXT record in the domains DNS, Lets Encrypt verifies. Also supports wildcard certificates (*.firm.ch). - TLS-ALPN-01: specialised for reverse proxies, runs on port 443.

On successful challenge the client creates a Certificate Signing Request, sends it to Lets Encrypt, receives the certificate, installs it in the web server.

Auto-renew. Certbot, the original client, runs as a cron job or systemd timer every 12 hours and renews certificates with less than 30 days remaining. Caddy is a full web server with built-in ACME - no cron needed. Other ACME clients: acme.sh (shell, lightweight), lego (Go), Traefik (with ACME plugin).

TLS 1.3 handshake. The client (browser) sends ClientHello with supported cipher suites and the desired domain (SNI). The server replies with ServerHello, the certificate, and a signed key share (ECDHE). Client and server compute a shared secret without it crossing the wire (forward secrecy). From the second step on everything is encrypted. Total: one round trip instead of two in TLS 1.2.

Cipher suites. As of May 2026 the Mozilla Modern Profile is the SME standard: only TLS 1.3, with the three cipher suites TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, and TLS_CHACHA20_POLY1305_SHA256. For legacy-browser support (e.g. an old agency tool): Mozilla Intermediate Profile, which also allows TLS 1.2 with ECDHE-RSA suites. The Mozilla SSL Configuration Generator (ssl-config.mozilla.org) produces ready-to-use nginx, Apache, HAProxy configs.

HSTS and OCSP stapling. HSTS (HTTP Strict Transport Security) is an HTTP header that tells the browser: from now on use HTTPS only for this domain, for X seconds (typically 1 year). Adding to the HSTS preload list (hstspreload.org) strengthens it further. OCSP stapling: the server fetches the OCSP response from the CA (is my cert still valid?) and delivers it inline, so the browser does not have to ask. Faster and more private - May 2026 baseline.

Audit tools. testssl.sh (open source, run locally) and the SSL Labs Server Test (online) are the two standard tools. Target: A or A+ rating at SSL Labs.

TLS setup in 6 steps

  1. 01Verify domain DNS: A/AAAA records point to the web server, optionally activate Cloudflare proxy.
  2. 02Choose an ACME client: Certbot for classic Nginx/Apache, Caddy for greenfield setups with auto-TLS, acme.sh for lightweight Docker containers.
  3. 03Request the first certificate: certbot --nginx -d firm.ch -d www.firm.ch, or for wildcard certbot -d *.firm.ch --dns-cloudflare --preferred-challenges dns.
  4. 04Apply the Nginx/Apache configuration from the Mozilla SSL Configuration Generator (Modern Profile, TLS 1.3 only).
  5. 05Set the HSTS header: max-age=31536000; includeSubDomains; preload. Only submit to hstspreload.org after 1-2 weeks of stable TLS.
  6. 06Test with testssl.sh and SSL Labs Server Test, target A or A+, verify auto-renew through the systemd timer or cron.

When to use Lets Encrypt

Lets Encrypt is the default choice for almost any public Swiss SME web app. Free, automated, auto-renew solves the 90-day issue. More than 95 percent of SME sites are fully covered by Lets Encrypt.

Concrete use cases: marketing site of a law firm or fiduciary. Client portal with login. E-commerce platform. Online booking for a medical practice. Hetzner server with your own apps. Cloudflare Tunnel setups (Cloudflare handles the edge certificate, Lets Encrypt handles the origin-to-Cloudflare leg).

For subdomains: a wildcard certificate (*.firm.ch) with DNS-01 challenge covers all subdomains and simplifies management. Prerequisite: a DNS provider with API support (Cloudflare, Hetzner DNS, deSEC, gandi.net, Hostpoint).

When Lets Encrypt does not fit

Three cases where Lets Encrypt is not the right choice.

First: Extended Validation (EV) certificates that show the company name prominently in the browser (much reduced since 2019 in modern browsers). Lets Encrypt only does Domain Validation. EV is mainly relevant today for regulated banks and large e-commerce brands. Providers: DigiCert, Sectigo, Entrust. Price: USD 200 to 800/year.

Second: certificates for code signing, email signing (S/MIME), client certificates for machine authentication. Lets Encrypt only issues TLS server certificates. For S/MIME there is Actalis (free until May 2026 for private persons) or commercial providers. For internal CAs (e.g. ZTNA setups): smallstep CA, HashiCorp Vault PKI, or self-hosted Step-CA.

Third: air-gapped networks without internet access. Lets Encrypt requires external reachability for HTTP-01 or a DNS API for DNS-01. Strict isolated networks use a private CA.

General pitfalls: auto-renew not configured (certificate expires after 90 days, site goes offline). Leaving Mozilla Old Profile cipher suites when no one runs old browsers (weakens security with no gain). Setting HSTS headers too aggressively before TLS is stable (lockout risk: site with broken TLS and the browser refuses to fall back to HTTP).

Trade-offs

STRENGTHS

  • Free and fully automated thanks to the ACME protocol
  • 90-day validity forces auto-renew and reduces the risk of forgotten certificates
  • Supports wildcard certificates via the DNS-01 challenge
  • Identical cryptographic security to commercial CAs

WEAKNESSES

  • Domain Validation only, no EV or OV
  • Requires auto-renew - manual renewal would be due every 90 days
  • Rate limits (50/domain/week) can hurt mass-onboarding scenarios
  • For DNS-01 challenge requires at least an API-capable DNS provider

FAQ

What does Lets Encrypt cost?

Nothing. Lets Encrypt is a non-profit funded by sponsors (Mozilla, Cisco, AWS, Google, and others). No registration fee, no volume limits, no hidden cost. The only limit: rate limits (50 certificates per domain per week, 5 duplicates per domain per week) which in practice never hit SMEs.

Are paid certificates more secure?

No. Cryptographic security is identical - same algorithms (ECDSA/RSA), same key strengths. The difference lies in validation depth (DV/OV/EV), visual browser presentation (barely visible today), CA warranties (liability sums in case of forgery), and support. For technical security, Lets Encrypt yields nothing to commercial providers.

What about ZeroSSL as an alternative?

ZeroSSL also offers free ACME certificates with 90-day validity. Advantage: larger rate limits (no 50-per-domain cap). Disadvantage: commercial operation, free-tier limits on the number of certificates per account (3 at 90 days, then upgrade pressure). Equivalent to Lets Encrypt for simple setups; for mass operations across many domains the comparison pays off.

How do I test my sites TLS quality?

Two standard tools. SSL Labs Server Test (ssllabs.com/ssltest) is the browser version: enter domain, wait 90 seconds, get a full report with A to F rating and concrete recommendations. testssl.sh is the local command-line version (curl -O testssl.sh | sh), allowing tests against internal hosts and automated audits. SME target: A or A+ at SSL Labs.

Related topics

CLOUDFLARE · TECH STACKCloudflare as DNS, reverse proxy, and WAF: SSL modes, cache rules, origin certificatesDDoS · SECURITY & OPSDDoS protection with Cloudflare: layer 3, 4, and 7 for SME web apps in 2026HETZNER · TECHHetzner as EU hosting for Swiss fiduciaries and SMEs: data centres, contracts, costFIREWALL · SECURITY & OPSFirewall and CrowdSec: layered protection for SME servers in 2026DOCKER · TECH STACKDocker orchestration for SMEs: docker-compose without Kubernetes overkillMANAGED · SERVICEManaged Service & Monitoring: we keep it running, you use it

Sources

  1. Lets Encrypt - How It Works (Documentation) · 2026-05
  2. Mozilla SSL Configuration Generator · 2026-04
  3. RFC 8555 - Automatic Certificate Management Environment (ACME) · 2019-03
  4. BSI TR-02102-2 Kryptographische Verfahren: Verwendung von TLS · 2026-02
  5. CA/Browser Forum - Ballot SC-081v3 Certificate Lifetime Reduction · 2025-04

FITS YOUR STACK?

What this looks like in your business – a 30-minute intro call.

Book a call