๐
How Free HTTPS Services Work
How Let's Encrypt, Cloudflare, and ACM provide free certificates
Since Let's Encrypt launched in 2015, HTTPS has become essentially free. This article explains how various free HTTPS services work, including automatic issuance via the ACME protocol, Cloudflare's Edge SSL termination, AWS ACM's managed certificates, and the CA trust chain architecture.
Architecture Diagram
CA Trust Chain (Certificate Trust Chain)
๐
Root CA
Pre-installed in OS/Browser. Stored offline.
ISRG Root X1, DigiCert Global Root
↓
Signs
๐
Intermediate CA
Issues actual certificates. Distributes Root CA risk.
R3, E1 (Let's Encrypt)
↓
Issues
๐ฅ๏ธ
Server Certificate
Bound to domain. 90-day validity (Let's Encrypt).
myapp.com
ACME Protocol Flow (Automatic Certificate Issuance)
1
New Order
ACME Client (certbot, etc.) โ Requests certificate from ACME Server
2
Authorization
Server presents domain ownership verification method (challenge)
3
Challenge
HTTP-01
Place token file at http://domain/.well-known/acme-challenge/
DNS-01
Set token in _acme-challenge.domain TXT record
4
Validate
ACME Server verifies challenge to confirm domain ownership
5
Finalize + Download Certificate
Submit CSR โ Certificate issued โ Install on server
Free HTTPS Service Comparison
| Let's Encrypt | Cloudflare | AWS ACM | |
|---|---|---|---|
| Price | Free | Free (proxy required) | Free (with AWS services) |
| Validity | 90 days | Auto-managed | Auto-renew (13 months) |
| Wildcard | Supported (DNS-01 required) | Supported | Supported |
| Auto-Renewal | certbot cron setup | Fully automatic | Fully automatic |
| Installation | Own server | Cloudflare Edge | ALB / CloudFront |
TLS Handshake (Simplified)
๐ป
Client
1. Client Hello
→
TLS version, cipher suite list, random value
2. Server Hello + Cert
←
Selected cipher suite, server certificate (with public key)
3. Key Exchange
→
Key exchange for session key generation (ECDHE)
๐ Encrypted Communication
↔
Data encrypted with symmetric key (session key). TLS 1.3 completes in 1-RTT.
๐ฅ๏ธ
Server
How Does Let's Encrypt Make Money?
๐๏ธ
Nonprofit: ISRG (Internet Security Research Group)
Founded 2013. Operates 100% on sponsorships and donations with zero certificate sales revenue. Annual budget ~$3.6M (2023).
Primary
Corporate Sponsorships (~70%)
Cisco
Akamai
Google Chrome
Mozilla
Meta
AWS
EFF
Platinum sponsors $300K+/yr, Gold $150K+, Silver $50K+
Donations
Individual/Corporate Donations (~20%)
Donate directly on website. Voluntary support from developer community is significant.
Grants
Foundation/Government Grants (~10%)
Supported by Ford Foundation, Linux Foundation etc. as internet security infrastructure
Why Do Big Companies Pay?
•
HTTPS adoption โ fewer phishing/MITM attacks โ safer environment for their own services
•
For Cisco/Akamai: if customers delay HTTPS due to SSL cert costs, it hurts their CDN/security product sales
•
Google Chrome: made HTTPS a search ranking factor โ free cert availability is essential
•
$300K/yr is less than 0.001% of big company marketing budgets, yet maintains internet-wide security infrastructure
3.500M+
Active Certificates
~15
Full-time Staff
$0
Per Certificate Cost
Key Points
•
Thanks to Let's Encrypt, HTTPS became the web standard โ 95%+ of web traffic is HTTPS as of 2024
•
DNS-01 challenge is required for wildcard certs and works for internal servers too
•
TLS 1.3 reduces handshake to 1-RTT and supports 0-RTT resumption (PSK)
How It Works
1
ACME client (certbot) registers account and orders domain certificate from CA server
2
CA issues a challenge for domain ownership verification (HTTP-01 or DNS-01)
3
Client fulfills the challenge (places token file on web server or adds DNS TXT record)
4
CA verifies and issues DV certificate (Root CA โ Intermediate CA โ End-entity chain)
5
Install certificate on web server โ TLS handshake establishes encrypted communication on client connection
Pros
- ✓ Completely free: Let's Encrypt, Cloudflare, ACM all provide DV certificates for free
- ✓ Automation: fully automated issuance/renewal via ACME protocol
- ✓ SEO benefit: Google uses HTTPS as a ranking signal
- ✓ Enhanced security: prevents MITM attacks, encrypts data
Cons
- ✗ DV certificate limitations: only verifies domain ownership, not organization identity
- ✗ Let's Encrypt 90-day validity: risk of service disruption if auto-renewal fails
- ✗ Cloudflare dependency: Shared SSL means Cloudflare outage = site outage
- ✗ ACM restrictions: only usable with AWS services (ALB, CloudFront), cannot install directly on EC2
Use Cases
HTTPS for personal blogs/portfolio sites (Let's Encrypt + certbot)
Automatic SSL management via CDN (Cloudflare Universal SSL)
AWS infrastructure SSL integration (ACM + ALB/CloudFront)
mTLS (Mutual TLS) authentication between microservices