Let's Encrypt: set up your free SSL certificate
Published on July 3, 2026 7 min read
Let's Encrypt issues free SSL certificates for https. Learn how it works, how automatic renewal works, and how to set it up in Plesk.
Let's Encrypt is a free, automated certificate authority that lets you secure your website with an SSL certificate. Visitors then reach your site over an encrypted https connection instead of plain http. This article explains what Let's Encrypt is, how free SSL certificates work, how automatic renewal works and how to set it up, including how to do so in Plesk.
What is Let's Encrypt?
Let's Encrypt is a certificate authority, or CA: an organisation that issues digital certificates so a website can offer its visitors an encrypted, trustworthy connection. What makes Let's Encrypt special is that it is entirely free of charge and fully automated.
Let's Encrypt is run by the non-profit ISRG (Internet Security Research Group). The service has been publicly available since 2015 and now secures hundreds of millions of websites. It is funded through donations and sponsorship, not through the sale of certificates.
Let's Encrypt only issues Domain Validated certificates, or DV for short. With a DV certificate, the CA checks that you control the domain, not who you are as an organisation. For almost any website, online shop or web application, that is all you need: a valid padlock and an encrypted connection.
How do free SSL certificates work?
An SSL certificate, technically a TLS certificate, does two things at once. It encrypts the traffic between your visitor's browser and your server, and it confirms that the visitor is genuinely connected to your domain. The browser shows this with a padlock, and the web address starts with https.
The fact that a Let's Encrypt certificate is free says nothing about its quality. The encryption is just as strong as with a paid certificate. The difference lies in what is checked and in extras such as Extended Validation or warranties, not in the security of the connection itself.
It is worth remembering what a DV certificate does not do. It secures the connection, but it is not a seal of approval for the company behind a website. The padlock means the connection is encrypted, not that the website is automatically trustworthy.
How does Let's Encrypt work? The ACME protocol
Let's Encrypt can only be free and work at scale because everything is automated. This is achieved with the ACME protocol (Automatic Certificate Management Environment). ACME is an open standard that lets software request a certificate, complete the validation and install the certificate without any human involvement.
To do this, an ACME client runs on your server. Well-known examples are Certbot and acme.sh, but control panels such as Plesk and cPanel also have an ACME client built in. At LJPc, Plesk handles this for you, so in practice you do not have to install anything yourself.
Domain validation: HTTP-01 and DNS-01
Before Let's Encrypt issues a certificate, you have to prove that you control the domain. This is checked through a validation process, usually in one of these two ways:
- HTTP-01: the ACME client places a unique file at a fixed path on your web server. Let's Encrypt fetches that file to confirm that you control the server. The path looks like this:
http://yourdomain.com/.well-known/acme-challenge/<token>
- DNS-01: you add a temporary TXT record to your DNS, under the name _acme-challenge. This method is required for wildcard certificates and also works when your server is not publicly reachable.
_acme-challenge.yourdomain.com. TXT "<validation-value>"
For HTTP-01 validation, your domain has to point to your server's IP address through an A record. If it does not, Let's Encrypt cannot run the validation and the request fails.
Validity and automatic renewal
A Let's Encrypt certificate is currently valid for 90 days. That short lifetime is a deliberate choice. It limits the damage if a key is ever leaked, and it pushes administrators to automate renewal.
Requesting a new certificate by hand every three months is awkward and error-prone. Renewal should therefore happen automatically. The ACME client regularly checks how many days remain before a certificate expires and renews it well in time, usually once about two-thirds of the lifetime has passed.
Certificate lifetimes will keep getting shorter over the coming years, not only at Let's Encrypt but across the whole industry. Let's Encrypt already offers very short, six-day certificates as well. That only makes automatic renewal more important: once it is set up correctly, you will not notice those shorter lifetimes at all.
Setting up Let's Encrypt in Plesk
LJPc hosting uses the Plesk control panel, which has Let's Encrypt built in. Certificate requests and renewals go through Plesk and largely happen on their own. You need no separate software or in-depth technical knowledge. The exact menu labels can differ slightly between Plesk versions, but the steps come down to the following:
- Log in to Plesk and go to Websites & Domains.
- Choose the domain you want to secure and open SSL/TLS Certificates.
- Choose the option to install a free certificate from Let's Encrypt.
- Indicate what you want to secure, for example, the domain with and without www, and optionally webmail.
- Confirm the request. Plesk handles the validation and installs the certificate.
After installation, your site is reachable over https. Then turn on a redirect from http to https, so visitors always end up on the secure version. In Plesk you can do this with the built-in setting or with the SSL It! extension, which also offers options for HSTS and OCSP stapling.
What happens automatically on LJPc hosting
When SSL is enabled for your domain, a certificate is automatically requested, installed and renewed on time. Before a certificate is issued, the system first checks that your domain points to the correct server through its A record and, for IPv6, its AAAA record. If your domain still points elsewhere, the request will only succeed once this has been corrected.
Wildcard certificate
If you want to secure all your subdomains at once with a single certificate, for example, *.yourdomain.com, you need a wildcard certificate. Let's Encrypt issues these, but only through DNS-01 validation. Plesk needs to be able to manage your DNS for this, or you add the requested TXT record yourself.
Let's Encrypt and the CAA record
With a CAA record, you decide in your DNS which certificate authorities may issue a certificate for your domain. A CAA record is not required, but if you use one, you have to allow Let's Encrypt in it. The value to add for this is letsencrypt.org.
yourdomain.com. CAA 0 issue "letsencrypt.org"
If you have no CAA record, any publicly trusted CA may issue a certificate, including Let's Encrypt, and the request simply works. If your CAA record excludes Let's Encrypt, the request is refused.
Common problems
If setting up or renewing gets stuck, it is usually down to one of these causes:
| Problem | Cause | Solution |
|---|---|---|
| Validation fails (HTTP-01) | The domain does not point to the correct server, or the validation file is unreachable. | Check that the A record points to the correct IP address and that the site is reachable over http. |
| Certificate is not renewed | Automatic renewal is failing, for example, because of a changed DNS or A record. | Check that the domain still points to the correct server and that renewal is enabled in Plesk. |
| Request refused | A CAA record does not allow Let's Encrypt. | Add the value letsencrypt.org to your CAA record, or remove the record. |
| Wildcard does not work | A wildcard certificate requires DNS-01 validation. | Let Plesk manage your DNS or add the requested TXT record manually. |
| Browser still shows a warning | The site still loads parts over http (mixed content) or does not redirect to https. | Turn on the redirect to https and load all images and scripts over https. |
Can't work it out, or not sure whether your certificate is set up correctly? Feel free to contact our support team, and we will take a look with you.
Frequently asked questions
Is Let's Encrypt really free?
Yes. Let's Encrypt issues SSL certificates entirely free of charge, with no hidden costs. The service is run by the non-profit ISRG and funded through donations and sponsorship.
How long is a Let's Encrypt certificate valid?
A Let's Encrypt certificate is currently valid for 90 days. Because renewal happens automatically, you do not have to keep track of anything yourself. Lifetimes are getting shorter over the coming years, which makes automatic renewal even more important.
Do I have to renew a Let's Encrypt certificate manually?
No. An ACME client, such as the one in Plesk, renews the certificate automatically well before it expires. Manual renewal is only needed if the automatic renewal fails, for example, because of a DNS error.
What is the difference between Let's Encrypt and a paid SSL certificate?
The encryption is equally strong with both. Let's Encrypt issues Domain Validated certificates, which only check that you control the domain. Paid certificates can also verify your organisation's identity or offer a warranty. For most websites, a free Let's Encrypt certificate is enough.
Does Let's Encrypt support wildcard certificates?
Yes. Let's Encrypt issues wildcard certificates that secure all your subdomains at once. This is only possible through DNS-01 validation, where you place a TXT record in your DNS.
Do I have to change my CAA record for Let's Encrypt?
Only if you use a CAA record. If you have one, add the value letsencrypt.org so that Let's Encrypt is allowed to issue certificates. Without a CAA record, you do not have to do anything, and the request simply works.