Vote Charlie!

Goodbye StartCom, hello Let’s Encrypt

Posted at age 28.

A few weeks ago, when configuring my server to host my mom’s new business website, I finally looked into Let’s Encrypt and decided to go with it. The service provides an automated way to install and update SSL certificates for HTTPS website hosting. Previously I had been using the free-ish certificates from StartCom.

I’ve had many hassles in the past with the validation requirements of StartCom. Particularly, they love to demand a phone bill with your address, but I had been on a family plan years ago, and then moved to a prepaid month by month plan with T-Mobile. I therefore have no phone bill with my address. I also don’t have utilities, since I rent a room but not an entire apartment.

With Let’s Encrpyt, I no longer have to deal with that validation nonsense, though I also don’t get certificates with my name embedded in them. I’m not sure this matters anyway, and the automatic renewal feature would be worth it. The certificates are good for only 90 days, versus the one or two years with StartCom depending how much I paid for validation, but this shouldn’t matter much if they renew automatically.

Since my Apache setup is pretty customized, I didn’t use the Apache module they provide, but rather just use their utility to update the certificate files without touching my web server. I just needed to add a simple cron job to keep things updated:

0 12 7 * * /opt/certbot-auto renew --non-interactive --text -vvv

It’s been working well.

This past week, I received an email from StartCom about their own competing tools. I would have used them if Let’s Encrypt didn’t exist, but I don’t see the benefit in sticking with StartCom now. Maybe if I needed EV “green bar” certificates, but for a personal website that would seem excessive, if I could even find a provider who wouldn’t require me to register my website as a business in order to comply with the paperwork.

For the record, here’s the email from with subject “StartCom launches a new service - StartEncrypt, Tue, 14 Jun 2016 07:09:32 GMT“:

Dear StartCom customers,

This electronic mail message was created by StartCom’s Administration Personnel:

StartCom, a leading global Certificate Authority (CA) and provider of trusted identity and authentication services, announces a new service – StartEncrypt today, an automatic SSL certificate issuance and installation software for your web server.

StartEncrypt is based the StartAPI system to let you get SSL certificate and install the SSL certificate in your web server for free and automatically, no any coding, just one click to install it in your server.

Compare with Let’s Encrypt, StartEncrypt support Windows and Linux server for most popular web server software, and have many incomparable advantages as:

(1) Not just get the SSL certificate automatically, but install it automatically;

(2) Not just Encrypted, but also identity validated to display EV Green Bar and OV organization name in the certificate;

(3) Not just 90 days period certificate, but up to 39 months, more than 1180 days;

(4) Not just low assurance DV SSL certificate, but also high assurance OV SSL certificate and green bar EV SSL certificate;

(5) Not just for one domain, but up to 120 domains with wildcard support;

(6) All OV SSL certificate and EV SSL certificate are free, just make sure your StartSSL account is verified as Class 3 or Class 4 identity.

StartEncrypt together with StartSSL to let your website start to https without any pain, to let your website keep green bar that give more confident to your online customer and bring to online revenue to you. Let’s start to encrypt now.

Please do not reply to this email. This is an unmonitored email address, and replies to this email cannot be responded to or read. If you have any question or comments, just click Here (( to send your question to us, thanks.

Best Regards StartCom™ Certification Authority

The topic was posted on Hacker News, where others pointed out the continued deceptive marketing on StartCom’s part claiming free certificates but not making clear you need to pay for validations first. One user had another good point:

While I appreciate their efforts, it would be nice to see the CAs offer a consistent API for usage/automation… it’s really something that should be a bit more commoditized than it currently is.