From a752ff567222b2eb6b86921921cd03d784b0d638 Mon Sep 17 00:00:00 2001 From: Josh Aas Date: Tue, 5 May 2026 20:51:57 -0400 Subject: [PATCH 1/2] More typo fixes --- content/en/docs/staging-environment.md | 6 +++--- content/en/post/2019-11-20-how-le-runs-ct-logs.md | 4 ++-- content/en/post/2023-01-12-eng-culture-at-ISRG.md | 2 +- content/en/post/2023-12-13-ngos.md | 2 +- content/en/post/2023-12-28-EOY-letter-2023.md | 2 +- content/en/post/2024-05-01-ARI-in-Tailscale.md | 2 +- content/en/post/2025-03-18-community-of-funders.md | 4 ++-- content/en/post/2025-12-09-10-years.md | 2 +- content/en/post/2026-02-05-FOSDEM2026.md | 2 +- content/en/post/2026-04-10-test-sites.md | 2 +- data/clients.json | 2 +- 11 files changed, 15 insertions(+), 15 deletions(-) diff --git a/content/en/docs/staging-environment.md b/content/en/docs/staging-environment.md index ae4766ad4c..12183de6ae 100644 --- a/content/en/docs/staging-environment.md +++ b/content/en/docs/staging-environment.md @@ -24,9 +24,9 @@ The staging environment uses the same rate limits as [described for the producti * The **[New Registrations per IPv6 Range](/docs/rate-limits/#new-registrations-per-ipv6-range)** limit is 500 per 3 hours (the same as production). * The **[New Orders per Account](/docs/rate-limits/#new-orders-per-account)** limit is 1500 per 3 hours. * The **[New Certificates per Registered Domain](/docs/rate-limits/#new-certificates-per-registered-domain)** limit is 30000 per second. -* The **[New Certificates per Exact Set of Hostnames](/docs/rate-limits/#new-certificates-per-exact-set-of-hostnames)** limit is 30000 per week. -* The **[Authorization Failures per Hostname per Account](/docs/rate-limits/#authorization-failures-per-hostname-per-account)** limit is 200 per hour. -* The **[Consecutive Authorization Failures per Hostname per Account](/docs/rate-limits/#consecutive-authorization-failures-per-hostname-per-account)** limit is 3600 per 6 hours. +* The **[New Certificates per Exact Set of Identifiers](/docs/rate-limits/#new-certificates-per-exact-set-of-identifiers)** limit is 30000 per week. +* The **[Authorization Failures per Identifier per Account](/docs/rate-limits/#authorization-failures-per-identifier-per-account)** limit is 200 per hour. +* The **[Consecutive Authorization Failures per Identifier per Account](/docs/rate-limits/#consecutive-authorization-failures-per-identifier-per-account)** limit is 3600 per 6 hours. The [Overall Requests Limits](/docs/rate-limits/#overall-requests-limit) are: diff --git a/content/en/post/2019-11-20-how-le-runs-ct-logs.md b/content/en/post/2019-11-20-how-le-runs-ct-logs.md index d251b7edc8..f519ec70ab 100644 --- a/content/en/post/2019-11-20-how-le-runs-ct-logs.md +++ b/content/en/post/2019-11-20-how-le-runs-ct-logs.md @@ -43,7 +43,7 @@ Additionally, AWS provides a solid set of features and our team has experience u # Terraform -Let’s Encrypt uses Hashicorp [Terraform](https://www.terraform.io/) for a number of cloud-based projects. We were able to bootstrap our CT log infrastructure by reusing our existing Terraform code. There are roughly 50 components in our CT deployments; including EC2, RDS, EKS, IAM, security groups, and routing. Centrally managing this code allows our small team to reproduce a CT infrastructure in any Amazon region of the globe, prevent configuration drift, and easily test infrastructure changes. +Let’s Encrypt uses Hashicorp [Terraform](https://www.terraform.io/) for a number of cloud-based projects. We were able to bootstrap our CT log infrastructure by reusing our existing Terraform code. There are roughly 50 components in our CT deployments, including EC2, RDS, EKS, IAM, security groups, and routing. Centrally managing this code allows our small team to reproduce a CT infrastructure in any Amazon region of the globe, prevent configuration drift, and easily test infrastructure changes. # Database @@ -73,7 +73,7 @@ There are three main CT components that we run in a Kubernetes cluster. The certificate transparency front end, or [CTFE](https://github.com/google/certificate-transparency-go), provides [RFC 6962](https://tools.ietf.org/html/rfc6962) endpoints and translates them to gRPC API requests for the Trillian backend. -[Trillian](https://github.com/google/trillian) describes itself as a “transparent, highly scalable and cryptographically verifiable data store.” Essentially, Trillian implements a generalized verifiable data store via a Merkle tree that can be used as the back-end for a CT log via the CTFE. Trillian consists of two components; the log signer and log server. The [log signer’s function](https://github.com/google/trillian/blob/master/docs/images/LogDesign.png) is to periodically process incoming leaf data (certificates in the case of CT) and incorporate them into a Merkle tree. The log server retrieves objects from a Merkle tree in order to fulfill CT API monitoring requests. +[Trillian](https://github.com/google/trillian) describes itself as a “transparent, highly scalable and cryptographically verifiable data store.” Essentially, Trillian implements a generalized verifiable data store via a Merkle tree that can be used as the back-end for a CT log via the CTFE. Trillian consists of two components: the log signer and log server. The [log signer’s function](https://github.com/google/trillian/blob/master/docs/images/LogDesign.png) is to periodically process incoming leaf data (certificates in the case of CT) and incorporate them into a Merkle tree. The log server retrieves objects from a Merkle tree in order to fulfill CT API monitoring requests. # Load Balancing diff --git a/content/en/post/2023-01-12-eng-culture-at-ISRG.md b/content/en/post/2023-01-12-eng-culture-at-ISRG.md index 84cc842c58..8986e0f5a5 100644 --- a/content/en/post/2023-01-12-eng-culture-at-ISRG.md +++ b/content/en/post/2023-01-12-eng-culture-at-ISRG.md @@ -36,7 +36,7 @@ Like all scalable solutions, there is the upfront investment of time and money. While reflecting on our engineering workplace systems and how they came to be, we recognized that many were organically built out of having a remote workplace, autonomous teams, and the driving values of flexibility and inclusion. We will continue to design practices with these things in mind. -All in all, when looked at with a holistic lens, building an engineering workplace culture has several considerations that are similar to those we focus on when designing software systems. The obvious difference is that instead of functions and data, we are dealing with actual people with feelings and ever changing wants and needs. That is why it is important to once again acknowledge that no two workplaces are the same and there are no perfect solutions, but we hope that these few points lead to thoughtful reflection on how organizations can improve their engineer workplace experience. +All in all, when looked at with a holistic lens, building an engineering workplace culture has several considerations that are similar to those we focus on when designing software systems. The obvious difference is that instead of functions and data, we are dealing with actual people with feelings and ever changing wants and needs. That is why it is important to once again acknowledge that no two workplaces are the same and there are no perfect solutions, but we hope that these few points lead to thoughtful reflection on how organizations can improve their engineering workplace experience. If this sounds like a culture you'd like to be a part of, check out our [open jobs](https://www.abetterinternet.org/careers/)! diff --git a/content/en/post/2023-12-13-ngos.md b/content/en/post/2023-12-13-ngos.md index 1d5b27c13d..ffffea30a9 100644 --- a/content/en/post/2023-12-13-ngos.md +++ b/content/en/post/2023-12-13-ngos.md @@ -8,7 +8,7 @@ excerpt: "A look at how Let’s Encrypt provides security and privacy to public For more than ten years, we at the nonprofit [Internet Security Research Group (ISRG)](https://www.abetterinternet.org/) have been focused on our mission of building a more secure and privacy-respecting Internet for everyone, everywhere. As we touch on in our [2023 Annual Report](https://www.abetterinternet.org/documents/2023-ISRG-Annual-Report.pdf), we now serve more than 360 million domains with free TLS certificates. -Beyond being a big number, what does that signify? What's the importance of having TLS being widely adopted anyways? We'll take a closer look at these questions through the lens of one group of Subscribers we can relate to particularly well: nonprofits. +Beyond being a big number, what does that signify? What's the importance of having TLS being widely adopted anyway? We'll take a closer look at these questions through the lens of one group of Subscribers we can relate to particularly well: nonprofits. ## Serving .org at Internet scale diff --git a/content/en/post/2023-12-28-EOY-letter-2023.md b/content/en/post/2023-12-28-EOY-letter-2023.md index c76e35a03b..c171c07a04 100644 --- a/content/en/post/2023-12-28-EOY-letter-2023.md +++ b/content/en/post/2023-12-28-EOY-letter-2023.md @@ -20,7 +20,7 @@ One of the biggest observations I've made during Josh's absence is that all 23 p [Prossimo](http://memorysafety.org) continues to deliver highly performant and memory safe software and components in a world that is increasingly eager to address the memory safety problem. This was evidenced by participation at [Tectonics](https://tectonics.memorysafety.org/), a gathering we hosted which drew industry leaders for [invigorated conversation](https://www.memorysafety.org/blog/tectonics-recap/). Meanwhile, initiatives like our [memory safe AV1 decoder](https://www.memorysafety.org/initiative/av1/) are in line to replace a C version in Google Chrome. This change would improve security for billions of people. We're grateful to the community that helps to guide and implement our efforts in this area, including Dirkjan Ochtman, the firms Tweede golf and Ferrous Systems, and the maintainers of the many projects we are involved with. -Our newest project, [Divvi Up](http://divviup.org), brought on our first two subscribers in 2023. [Horizontal](https://wearehorizontal.org/index), a small international nonprofit serving Human Rights Defenders, will be [collecting privacy-preserving telemetry metrics](https://divviup.org/blog/horizontal/) about the users of their Tella app, which people use to document human rights violations. Mozilla is using Divvi Up to [gain insight into aspects of user behavior](https://divviup.org/blog/divvi-up-in-firefox/) in the [Firefox ](https://www.mozilla.org/en-US/firefox/new/)browser. It took a combination of focus and determination to get us to a production-ready state and our technical lead, Brandon Pitman played a big role in getting us there. +Our newest project, [Divvi Up](http://divviup.org), brought on our first two subscribers in 2023. [Horizontal](https://wearehorizontal.org/index), a small international nonprofit serving Human Rights Defenders, will be [collecting privacy-preserving telemetry metrics](https://divviup.org/blog/horizontal/) about the users of their Tella app, which people use to document human rights violations. Mozilla is using Divvi Up to [gain insight into aspects of user behavior](https://divviup.org/blog/divvi-up-in-firefox/) in the [Firefox ](https://www.mozilla.org/en-US/firefox/new/)browser. It took a combination of focus and determination to get us to a production-ready state and our technical lead, Brandon Pitman, played a big role in getting us there. We hired Kristin Berdan to fill a new role as General Counsel and her impact is already apparent within our organization. She joins Sarah Heil, our CFO, Josh, and me in ISRG leadership. diff --git a/content/en/post/2024-05-01-ARI-in-Tailscale.md b/content/en/post/2024-05-01-ARI-in-Tailscale.md index b5a80de1ef..b85ae9b181 100644 --- a/content/en/post/2024-05-01-ARI-in-Tailscale.md +++ b/content/en/post/2024-05-01-ARI-in-Tailscale.md @@ -14,7 +14,7 @@ In total, it took just two Tailscale engineers less than two days to implement A Tailscale noted that ARI was especially useful to add before certificates' validity period starts shortening, as their client software in charge of requesting and renewing certificates is running on user machines. This makes it so they cannot easily update the whole fleet overnight if any issues come up. Thanks to ARI, they've reduced the risk of not rotating certificates for client machines in time, or causing excessive load on Let's Encrypt's infrastructure with overly-eager rotation logic. -One consideration the Tailscale team factored in deciding to adopt ARI was wanting to avoid adding a hard dependency on the Let's Encrypt infrastructure for renewal. To remedy this, Tailscale certificate renewal logic falls back to local time-based check if the ARI endpoint cannot be reached for any reason. +One consideration the Tailscale team factored in deciding to adopt ARI was wanting to avoid adding a hard dependency on the Let's Encrypt infrastructure for renewal. To remedy this, Tailscale certificate renewal logic falls back to a local time-based check if the ARI endpoint cannot be reached for any reason. Tailscale's roadmap for getting ARI in production: diff --git a/content/en/post/2025-03-18-community-of-funders.md b/content/en/post/2025-03-18-community-of-funders.md index 3bebb980d8..b0ca517896 100644 --- a/content/en/post/2025-03-18-community-of-funders.md +++ b/content/en/post/2025-03-18-community-of-funders.md @@ -8,7 +8,7 @@ display_support_us_footer: true display_inline_newsletter_embed: false --- -As we touched on in our [first blog post](https://letsencrypt.org/2025/02/14/encryption-for-everybody/) highlighting ten years of Let's Encrypt: Just as remarkable to us as the technical innovations behind proliferating TLS at scale is, so too is the sustained generosity we have benefited from throughout our first decade. +As we touched on in our [first blog post](https://letsencrypt.org/2025/02/14/encryption-for-everybody/) highlighting ten years of Let's Encrypt: Just as remarkable to us as the technical innovations behind proliferating TLS at scale is the sustained generosity we have benefited from throughout our first decade. With that sense of gratitude top of mind, we are proud to announce a contribution of $1,000,000 from Jeff Atwood. Jeff has been a longtime supporter of our work, beginning many years ago with [Discourse](https://www.discourse.org/) providing our community forum pro bono; something Discourse still provides to this day. As best we can tell, our forum has helped hundreds of thousands of people get up and running with Let's Encrypt---an impact that has helped billions of people use an Internet that's more secure and privacy-respecting thanks to widely adopted TLS. @@ -31,6 +31,6 @@ We're proud that Jeff not only agrees, but has chosen to support us in such a me Indeed, this contribution is significant because of its scale, but more importantly because of its signal: a signal that supporting the not-so-glamorous but oh-so-nerdy work of encryption at scale matters to the lives of billions of people every day; a signal that supporting free privacy and security afforded by TLS for all of the Internet's five billion users just makes sense. -Ten years ago we set out to build a better Internet through easy to use TLS. If you or your organization have supported us throughout the years, thank you for joining Jeff in believing in the work of Let's Encrypt. For a deeper dive into the impact of Let's Encrypt and ISRG's other projects, take a look at our [most recent annual report](https://www.abetterinternet.org/documents/2024-ISRG-Annual-Report.pdf). +Ten years ago we set out to build a better Internet through easy-to-use TLS. If you or your organization have supported us throughout the years, thank you for joining Jeff in believing in the work of Let's Encrypt. For a deeper dive into the impact of Let's Encrypt and ISRG's other projects, take a look at our [most recent annual report](https://www.abetterinternet.org/documents/2024-ISRG-Annual-Report.pdf). _Let's Encrypt is a project of the nonprofit Internet Security Research Group, a 501(c)(3) nonprofit committed to protecting Internet users by lowering monetary, technological, and informational barriers to a more secure and privacy-respecting Internet. For more, visit [abetterinternet.org](https://abetterinternet.org). Press inquiries can be sent to [press@abetterinternet.org](mailto:press@abetterinternet.org)_ \ No newline at end of file diff --git a/content/en/post/2025-12-09-10-years.md b/content/en/post/2025-12-09-10-years.md index e9b23118a4..1ae639708b 100644 --- a/content/en/post/2025-12-09-10-years.md +++ b/content/en/post/2025-12-09-10-years.md @@ -69,7 +69,7 @@ We documented the history, design, and goals of the project in [an academic pape ## Our initial sponsors -Ten years later, I'm still deeply grateful to the five initial sponsors that got Let's Encrypt off the ground - Mozilla, EFF, Cisco, Akamai, and IdenTrust. When they committed significant resources to the project, it was just an ambitious idea. They saw the potential and believed in our team, and because of that we were able to build the service we operate today. +Ten years later, I'm still deeply grateful to the five initial sponsors that got Let's Encrypt off the ground---Mozilla, EFF, Cisco, Akamai, and IdenTrust. When they committed significant resources to the project, it was just an ambitious idea. They saw the potential and believed in our team, and because of that we were able to build the service we operate today. ## IdenTrust: A critical technical partner diff --git a/content/en/post/2026-02-05-FOSDEM2026.md b/content/en/post/2026-02-05-FOSDEM2026.md index 288f67b4a6..3a90cfa893 100644 --- a/content/en/post/2026-02-05-FOSDEM2026.md +++ b/content/en/post/2026-02-05-FOSDEM2026.md @@ -16,6 +16,6 @@ In a recent conversation with a Let's Encrypt subscriber, we asked them to guess That is a big part of what makes FOSDEM special. For the last few years, we've had a stand at this annual conference in Belgium, where a few folks from our team have the opportunity to speak directly with thousands of conference-goers. We continue to learn so much from these conversations!  -That's where the "Hello" part of this blog post comes in. At this year's FOSDEM, we met so many Let's Encrypt subscribers, and each of them has a unique relationship to Let's Encrypt. We were pleasantly surprised by how many people told us they were using [IP-address certificates](https://letsencrypt.org/2026/01/15/6day-and-ip-general-availability), a new option we just made generally available in December. We had a lot of conversations about our plans to [shorten certificate lifetimes](https://letsencrypt.org/2025/12/02/from-90-to-45). There were a few folks who asked about S/MIME ([still no plans to do that](https://community.letsencrypt.org/t/s-mime-certificates/153/24)). We invited people to continue to stay in touch by signing up for our [newsletter](https://www.abetterinternet.org/newsletter/).  +That's where the "Hello" part of this blog post comes in. At this year's FOSDEM, we met so many Let's Encrypt subscribers, and each of them has a unique relationship to Let's Encrypt. We were pleasantly surprised by how many people told us they were using [IP-address certificates](https://letsencrypt.org/2026/01/15/6day-and-ip-general-availability), a new option we just made generally available in January. We had a lot of conversations about our plans to [shorten certificate lifetimes](https://letsencrypt.org/2025/12/02/from-90-to-45). There were a few folks who asked about S/MIME ([still no plans to do that](https://community.letsencrypt.org/t/s-mime-certificates/153/24)). We invited people to continue to stay in touch by signing up for our [newsletter](https://www.abetterinternet.org/newsletter/).  The most meaningful part of FOSDEM is being able to say "thank you". Our goal in starting Let's Encrypt was to improve security and privacy for people using the Internet, but that could not be achieved without the now millions of folks who decided to get a certificate. Our impact is predicated on this symbiotic exchange. While we were only able to directly express our gratitude to a few thousand people at FOSDEM, it was a reminder of how important the community is. diff --git a/content/en/post/2026-04-10-test-sites.md b/content/en/post/2026-04-10-test-sites.md index 060e831b2c..7713aa1059 100644 --- a/content/en/post/2026-04-10-test-sites.md +++ b/content/en/post/2026-04-10-test-sites.md @@ -38,7 +38,7 @@ First and foremost, we need to be able to get certificates. Because we're writin To get a revoked certificate, we request a certificate and then revoke it. That's something we can do with Lego and ACME too: The account which issued a certificate can request it be revoked. We then need a way to check that the certificate is revoked. Certificates contain an HTTP URL pointing to the Certificate Revocation List (CRL) which we poll until our certificate's serial number appears in it. -> Let's Encrypt implements the [ACME standard](https://datatracker.ietf.org/doc/html/rfc8555/), which defines how clients can get certificates. In general, we think ACME clients integrated into webservers are often the best way to get certificates for websites. They can automatically handle challenges, managing and reloading certificates, and overall minimizing the amount of work and reducing problems. +> Let's Encrypt implements the [ACME standard](https://datatracker.ietf.org/doc/html/rfc8555/), which defines how clients can get certificates. In general, we think ACME clients integrated into webservers are often the best way to get certificates for websites. They can automatically handle challenges, manage and reload certificates, and overall minimize the amount of work and reduce problems. We also need a way to wait until a certificate is in the right state. The valid certificate is ready to use right away, but that's not true for the revoked and expired certificates. The revoked certificate needs to wait at least until it appears in a CRL, which can be up to an hour. Expired certificates need to wait even longer: Even if we request the shortest-lived certificates we offer, that's still six days. To handle this, our program stores a "next" certificate instead of immediately overwriting the current one. We wait at least 24 hours for the revoked certificate to make sure any CRL caches or push-based CRL infrastructure have time to process the revocation. The expired certificate has to wait until it passes its expiration date. After the program decides a certificate is ready, it replaces the current certificate and passes it off to the webserver. Normal ACME tools don't support this because they can usually start using a certificate as soon as it's obtained. diff --git a/data/clients.json b/data/clients.json index 5a058d85f2..fbd4b9df6c 100644 --- a/data/clients.json +++ b/data/clients.json @@ -912,7 +912,7 @@ { "name": "CertKit", "url": "https://www.certkit.io/", - "comments": "Deployable and SaaS certificate lifecycle management and monotoring", + "comments": "Deployable and SaaS certificate lifecycle management and monitoring", "category": "Server", "challenges": { "HTTP-01": "true", From 60e16fdc9b846cb728cb64eb8150d4c5021de9a9 Mon Sep 17 00:00:00 2001 From: Josh Aas Date: Tue, 5 May 2026 20:59:01 -0400 Subject: [PATCH 2/2] Additional typo fix --- content/en/post/2023-12-28-EOY-letter-2023.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/post/2023-12-28-EOY-letter-2023.md b/content/en/post/2023-12-28-EOY-letter-2023.md index c171c07a04..9a678a97e4 100644 --- a/content/en/post/2023-12-28-EOY-letter-2023.md +++ b/content/en/post/2023-12-28-EOY-letter-2023.md @@ -20,7 +20,7 @@ One of the biggest observations I've made during Josh's absence is that all 23 p [Prossimo](http://memorysafety.org) continues to deliver highly performant and memory safe software and components in a world that is increasingly eager to address the memory safety problem. This was evidenced by participation at [Tectonics](https://tectonics.memorysafety.org/), a gathering we hosted which drew industry leaders for [invigorated conversation](https://www.memorysafety.org/blog/tectonics-recap/). Meanwhile, initiatives like our [memory safe AV1 decoder](https://www.memorysafety.org/initiative/av1/) are in line to replace a C version in Google Chrome. This change would improve security for billions of people. We're grateful to the community that helps to guide and implement our efforts in this area, including Dirkjan Ochtman, the firms Tweede golf and Ferrous Systems, and the maintainers of the many projects we are involved with. -Our newest project, [Divvi Up](http://divviup.org), brought on our first two subscribers in 2023. [Horizontal](https://wearehorizontal.org/index), a small international nonprofit serving Human Rights Defenders, will be [collecting privacy-preserving telemetry metrics](https://divviup.org/blog/horizontal/) about the users of their Tella app, which people use to document human rights violations. Mozilla is using Divvi Up to [gain insight into aspects of user behavior](https://divviup.org/blog/divvi-up-in-firefox/) in the [Firefox ](https://www.mozilla.org/en-US/firefox/new/)browser. It took a combination of focus and determination to get us to a production-ready state and our technical lead, Brandon Pitman, played a big role in getting us there. +Our newest project, [Divvi Up](http://divviup.org), brought on our first two subscribers in 2023. [Horizontal](https://wearehorizontal.org/index), a small international nonprofit serving Human Rights Defenders, will be [collecting privacy-preserving telemetry metrics](https://divviup.org/blog/horizontal/) about the users of their Tella app, which people use to document human rights violations. Mozilla is using Divvi Up to [gain insight into aspects of user behavior](https://divviup.org/blog/divvi-up-in-firefox/) in the [Firefox](https://www.mozilla.org/en-US/firefox/new/) browser. It took a combination of focus and determination to get us to a production-ready state and our technical lead, Brandon Pitman, played a big role in getting us there. We hired Kristin Berdan to fill a new role as General Counsel and her impact is already apparent within our organization. She joins Sarah Heil, our CFO, Josh, and me in ISRG leadership.