The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Let's Encrypt vs. cPanel DV Certificates

Discussion in 'Security' started by sparek-3, Jul 29, 2016.

Tags:
  1. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,381
    Likes Received:
    23
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    Perhaps I'm just not finding the right link that describes this.

    What is the point of Let's Encrypt over cPanel's AutoSSL? Aren't these essentially the same thing?

    Let's Encrypt is a just a free domain validated certificate. Isn't cPanel offering the same thing, with a cPanel DV SSL Certificates?

    Or am I missing something?

    Granted, Let's Encrypt is for a broader market (you don't have to be using cPanel) but since we're talking cPanel, what's the incentive for offering (or spending time on a Let's Encrpyt plugin) Let's Encrypt when cPanel has their own system? Or vice-versa. It seems there are two different products that offer the same thing (at least for us cPanel hosts) so why would I want to offer both? It would just double the headaches.
     
  2. cPanelBenny

    cPanelBenny Community Manager, Development, dog scratcher
    Staff Member

    Joined:
    Apr 24, 2014
    Messages:
    43
    Likes Received:
    20
    Trophy Points:
    8
    Location:
    Michigan
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hey there! The short version is that Let's Encrypt is a certificate authority, and AutoSSL is a feature of cPanel & WHM. We started building the Marketplace and AutoSSL features a long time ago, and launched them with Comodo support, and will soon add Let's Encrypt support to the feature in the form of a plugin. You can read a bit about that on the blog: cPanel & WHM’s AutoSSL | cPanel Blog Let me know what other questions you have!
     
    eva2000 likes this.
  3. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,381
    Likes Received:
    23
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    What are cPanel DV Certificates and how are they different from Let's Encrypt certificates?
     
  4. cPanelBenny

    cPanelBenny Community Manager, Development, dog scratcher
    Staff Member

    Joined:
    Apr 24, 2014
    Messages:
    43
    Likes Received:
    20
    Trophy Points:
    8
    Location:
    Michigan
    cPanel Access Level:
    Root Administrator
    Twitter:
    The certificates currently provided by AutoSSL are signed by Comodo, and that is the only difference between the two.
     
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    649
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello,

    Yes, as @cPanelBenny mentioned, the free cPanel (powered by Comodo) and the free "Let's Encrypt" certificates both utilize domain validation (DV). The following URL offers more information about domain validation itself if that's the information you are seeking:

    How It Works - Let's Encrypt - Free SSL/TLS Certificates

    Thank you.
     
  6. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,381
    Likes Received:
    23
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    I guess my question is, why offer two of the same thing?

    I know Comodo and Let's Encrypt are two different kinds of certificates and I suppose internally they are different (perhaps Comodo offers a greater warranty? Perhaps Comodo is recognized by more browsers?) But for end users, for the most part, a domain validated certificate is a domain validated certificate, nevermind who it is signed with.

    I guess I just don't understand the hammering that people have for wanting Let's Encrypt in cPanel, when cPanel is offering their own free secure certificates? Or perhaps cPanel should fold their free certificates and switch entirely to Let's Encrypt.
     
  7. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    649
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello,

    The ability to issue free DV certificates from Comodo was a project started before support for "Let's Encrypt" was planned. However, there's a large demand for Let's Encrypt from our users. You can monitor the progress on the planned "Let's Encrypt" plugin, and review the comments section to see user-feedback at:

    Provide Support for Let's Encrypt Automated Certificate Management/SSL

    Thank you.
     
  8. sehh

    sehh Well-Known Member

    Joined:
    Feb 11, 2006
    Messages:
    579
    Likes Received:
    5
    Trophy Points:
    18
    Location:
    Europe
    From what I understand, when Let's Encrypt first appeared, most corporations (certificate authorities) didn't take them seriously and hoped they'd be a failure like CACERT. But once they realized that the whole scam of selling certificates is finally over, they changed their business strategy to offer free certificates to various organizations like cPanel, in the hopes that they won't completely disappear from the face of the earth. Most certificate authorities have gone down that road.

    Certificate authorities are now trying to keep the scam of selling certificates alive, by enforcing their EV certificates, down our throats.

    cPanel has handled this issue admirably, their AutoSSL feature will handle multiple vendors, thus we should be able to choose Let's Encrypt over Comodo in the near future.

    Anyway, rant is over :)



     
    ronaldst likes this.
  9. sawbuck

    sawbuck Well-Known Member

    Joined:
    Jan 18, 2004
    Messages:
    1,367
    Likes Received:
    5
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
  10. sehh

    sehh Well-Known Member

    Joined:
    Feb 11, 2006
    Messages:
    579
    Likes Received:
    5
    Trophy Points:
    18
    Location:
    Europe
    sawbuck,

    I didn't mention their dirty tactics because I was trying to be polite and not make this something personal against Comodo :)

    But you are right, it should be mentioned, because their sinking ship is desperately clutching at anything right now.


     
  11. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,381
    Likes Received:
    23
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    So really there's no discernible difference between a Let's Encrypt certificate a cPanel Comodo Free DV certificate.
     
  12. sehh

    sehh Well-Known Member

    Joined:
    Feb 11, 2006
    Messages:
    579
    Likes Received:
    5
    Trophy Points:
    18
    Location:
    Europe
    Thats right.

    The only difference, is the authority signature (Let's Encrypt or Comodo). Thats it, there is no other difference (unless you get technical and change the encryption bit rate to something higher, 2048 to 4096, etc).

    Even a self-signed certificate is the same as any other, but the authority signature is your own.
     
  13. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,447
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    I haven't taken a look at Let's Encrypt, but do note the Comodo certs are 3 month certs, looking at the expire dates in WHM.
     
  14. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,381
    Likes Received:
    23
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    Let's Encrypt certificates are 90 days too. I have not checked on cPanel's Comodo certificates, I thought they might be 1 year, giving them a distinct advantage. But if they're 90 days too, then I just really don't see the difference.

    I guess you can just call me stupid, but I just didn't see the point of everyone hammering the mailing list, forums, and feature requests for "When is Let's Encrypt going to be in cPanel?" When cPanel was already working on their own Comodo-based free certificates. I thought maybe there was a reason why there was all this rage about cPanel including Let's Encrypt certificates in user's cPanels. We've been offering Let's Encrypt certificates (not tied to cPanel) for a couple of months now.
     
  15. sehh

    sehh Well-Known Member

    Joined:
    Feb 11, 2006
    Messages:
    579
    Likes Received:
    5
    Trophy Points:
    18
    Location:
    Europe
    Well, the idea behind Let's Encrypt, is that you can manage your Let's Encrypt account and certificates outside of cPanel, in parallel with cPanel and you can even migrate your certificates.

    Let's Encrypt also uses open protocols and there are tons of open source clients for managing certificates. Overall, there is a greater advantage to using Let's Encrypt over a commercial vendor.

    What is really impressive, is the fact that for DECADES the certificate authorities just pocketed the money and never actually offered anything of value to the user. But now, within the past year, we've seen them scramble to action, announcing this new feature and that new service... they make me smile :)
     
  16. brianjking

    brianjking Active Member

    Joined:
    Sep 15, 2009
    Messages:
    35
    Likes Received:
    1
    Trophy Points:
    6
    Location:
    Chicago, IL
    cPanel Access Level:
    Root Administrator
    Twitter:
    I think it's really about the buzz of LetsEncrypt and free certs being offered that people are not understanding that the AutoSSL generated certs by Comodo are essentially the same for all intents & purposes.
     
  17. sehh

    sehh Well-Known Member

    Joined:
    Feb 11, 2006
    Messages:
    579
    Likes Received:
    5
    Trophy Points:
    18
    Location:
    Europe
    So after a few decades, it was a complete accident that the certificate authorities decided to offer certificates for free... just when Let's Encrypt came around? ;)

    If it wasn't for Let's Encrypt, they'd be milking the golden cow for several more decades, I think.
     
  18. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,381
    Likes Received:
    23
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    Domain Validated certificates have always been a sham, a way for certificate authorities to make a quick buck without doing anything.

    A domain validated certificate and a self-signed certificate are essentially the same thing. Both provide encryption without trust. When any Tom, Dick, and Harry can get a certificate for a domain name, there's no trust involved. In my opinion, browser developers shot themselves in the foot (probably at the behest of certificate authorities) when they started putting up ugly warning messages about self-signed certificates. In my opinion, they should have gone in the other direction and made less of a fuss over self-signed certificates. This would have accomplished the same thing that Let's Encrypt and other DV certificates are doing, by allowing encryption without trust.

    There's basically two types of certificates. Certificates that encrypt only and certificates that encrypt and trust. WordPress, cPanel logins, etc. they should probably be encrypted to better protect you from network sniffing on public wifi and what not. Does it require trust? Not really. If you're logging into your own WordPress blog on your own site, you probably implicitly trust it. Websites where payment information is being taken up, you want that encrypted as well, you also want to know you are sending that information to a legitimate business, thus EV certificates.

    All certificates from certificate authorities should be and should have always been EV certificates (although we probably wouldn't called them Extended-Validation certificates if they had always been that way).

    All other certificates could just as well be self-signed.

    The green bar provided by EV certificates is a nice touch. Although I'm not sure browser developers would have had to have gone to that depth. A simple padlock to indicate that a website is using an encrypt only certificate and a different symbol for a website that is using an encrypt and trust certificate would have been sufficient. Then teaching the public (this is the one thing nobody wants to do) that padlock mean encrypt only "don't enter payment information here" and green shield means encrypt and trust "OK to enter payment information here." But, hindsight is 20/20. It's amazing what a little foresight can do!
     
  19. sehh

    sehh Well-Known Member

    Joined:
    Feb 11, 2006
    Messages:
    579
    Likes Received:
    5
    Trophy Points:
    18
    Location:
    Europe
    Very nicely said.

    I'd like to add one more thing. Its also possible to be your own certificate authority and issue your own certificates, by manually trusting your own root certificate. This way you can run your own encrypted connections with trust, but implies that this is for your own devices only (all others would see untrusted certificates).
     
  20. rpvw

    rpvw Well-Known Member

    Joined:
    Jul 18, 2013
    Messages:
    119
    Likes Received:
    34
    Trophy Points:
    28
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    I certainly don't want to rain on anyone's parade, and this incentive from cPanel together with the issues and opinions raised here are all excellent, but I feel someone needs to raise the question of Liability !

    If you are directly advising your hosting clients, you may want to take legal advice before recommending these types of certificates as it has some small potential to come back and bite you, drink all your whisky and steal your girlfriend.

    You will find that the Lets Encrypt Subscriber agreement effectively absolves them from any sort of liability at all, and the US Government Amendment is unenforceable outside the US.

    It would seem that Comodo have similar Limitations of Liabilities and waivers.

    I cannot stress enough, if you are in any doubt - talk to a lawyer :eek:
     
Loading...

Share This Page