This is a reasonable take. Let’s Encrypt is amazing and we don’t want to diminish their importance at all.
We charge for certificates because the infrastructure to make SSL work (even when the certificates themselves are free) is complicated.
Managing certificate creation can be tricky, we have to deal with all kinds of edge cases (like mismatched A and AAAA records breaking validation). We also generate both RSA and ECDSA certificates, have infrastructure for ALPN validation, and a whole setup for DNS challenges.
And then we have to actually use them. We run a global Vault cluster to store certificates securely, and then cache them in memory in each of our router processes.
The developers who use the certificates the most love paying us to manage certs, and one person who posted in the comments here was able to replace an entire Kubernetes cluster they were using to manage certificates for their customers.
When Let’s Encrypt invalidated millions of certificates a few weeks ago, none of our customers even noticed. That’s what they’re paying us for.
Sarah from Let's Encrypt here. We certainly understand the infrastructure and engineering costs associated with managing TLS/SSL. Fly.io has given back for years to help make our work possible and we appreciate that!
This is a great answer and imo should go in your FAQ [0] because charging for let's-encrypt certs does come off as disingenuous especially when AWS, Netlify, and Zeit and other services offer to do so, for free, despite them having to maintain a PKI which isn't exactly a walk in the park (like you point out).
We charge for certificates because the infrastructure to make SSL work (even when the certificates themselves are free) is complicated.
Managing certificate creation can be tricky, we have to deal with all kinds of edge cases (like mismatched A and AAAA records breaking validation). We also generate both RSA and ECDSA certificates, have infrastructure for ALPN validation, and a whole setup for DNS challenges.
And then we have to actually use them. We run a global Vault cluster to store certificates securely, and then cache them in memory in each of our router processes.
The developers who use the certificates the most love paying us to manage certs, and one person who posted in the comments here was able to replace an entire Kubernetes cluster they were using to manage certificates for their customers.
When Let’s Encrypt invalidated millions of certificates a few weeks ago, none of our customers even noticed. That’s what they’re paying us for.