82 comments

[ 2.3 ms ] story [ 107 ms ] thread
> You are not a person or entity that is: (a) located in, organized under the laws of, or ordinarily resident in any country or territory that is the target of comprehensive U.S. sanctions; (b) a prohibited or restricted party under U.S. or other applicable sanctions and export control laws and regulations; or (c) owned or controlled by or acting on behalf of anyone described in (a) or (b). You agree to use Let’s Encrypt Certificates and any services provided by or on behalf of ISRG in compliance with applicable U.S. export control and sanctions laws and regulations
Makes sense, they are US company. I am surprised it took them that long.
It is however a reminder that "just use LE" is not a valid response to concerns about protocols/APIs/browsers/etc requiring TLS.
(comment deleted)
Has anyone got any experience with Zero SSL? https://zerossl.com/ It seems like a good EU alternative.
There was some subtle issue with ZeroSSL's implementation of ACME that I ran into with, IIRC, lego and domain certs and there was a ~5 year old lego open issue about it. That was a couple years ago, might be fixed, but my understanding at the time was that it was an issue with Zero's ACME implementation, so there may be dragons.
I use them in some cases to avoid the rate limits on LetsEncrypt, and they have better support for some older platforms (like ancient Android versions), and I'm pretty happy so far. I have a paid account to support them, but it's not a requirement for ACME certs. It works without issue with Kubernetes Certbot, and seamless to switch between ZeroSSL and LetsEncrypt.

I can't comment on the EU part though - not that relevant in my case.

Is this a canary?

What's gonna happen if I were to begin or continue using one letsencrypt certificate from ... Greenland? Cuba? The EU?

Has letsencrypt been served with a subpoena?

Neither Greenland nor the EU has been sanctioned by the US.
> Has letsencrypt been served with a subpoena?

While it's certainly possible that ISRG has been served a subpoena because it appears the US DOJ is now a mix of hacks and incompetent buffoons, it wouldn't matter because the whole point is that they don't know anything - what you told them is literally logged publicly for everybody to see without even knowing how to spell "subpoena" let alone issue one.

Some people have this insane idea that somehow the CA has some secret which either they minted and sent to the CA, or the CA minted and gave them a copy and so the US government could get this secret with a subpoena - but the whole fucking point of a Public Key Infrastructure is that we're using Public Key Encryption, if we were OK with everybody having secrets all over the place this entire thing wouldn't be needed.

> active eavesdropping (e.g., monster-in-the-middle attacks)

is this standard MitM, or is it some crucially distinct variation?

Sanctioned has a double meaning here[1]:

> 2. officially or formally ratified or confirmed.

> 3. penalized, especially by way of discipline or to force compliance with legal obligations.

So who can use lets encrypt? Those that are penalised or those that are confirmed.

[1] https://www.dictionary.com/browse/sanctioned

It took me a minute to understand the original post because the verb sanction means both itself and basically the opposite of itself. It would be better to say "any territory that the US has levied sanctions against". I thought LetsEncrypt had banned its usage in the US! The word for words like sanction is contronym.
Does it mean that russian/iranian web-sites using letsencrypt stop working and need to change their certificate provider?
I hope not. We don't have any alternatives yet.
Depending on how you are supposed to read "You agree to use Let’s Encrypt Certificates and any services provided by or on behalf of ISRG in compliance with applicable U.S. export control and sanctions laws and regulations." it could mean that you are not even allowed to use LE certificate to provide services to sanctioned entities as a random non-US company/person.
Couldn't LE have a branch in Europe or anywhere outside the USA and its minions?

Because they're betraying their own goals, as stated in their About page: “It is a service run for the public’s benefit. [...] Anyone who owns a domain name can use Let’s Encrypt to obtain a trusted certificate at zero cost. [...] Let’s Encrypt is a joint effort to benefit the community, beyond the control of any one organization.” Now they own they are under the control of a political organization.

Here is the paragraph Let's Encrypt added to their Subscription Agreement on 2026-06-04:

> You are not a person or entity that is:

> (a) located in, organized under the laws of, or ordinarily resident in any country or territory that is the target of comprehensive U.S. sanctions;

> (b) a prohibited or restricted party under U.S. or other applicable sanctions and export control laws and regulations;

> or (c) owned or controlled by or acting on behalf of anyone described in (a) or (b).

> You agree to use Let’s Encrypt Certificates and any services provided by or on behalf of ISRG in compliance with applicable U.S. export control and sanctions laws and regulations.

completely independent entity would be far better option. Protocol is open after all, just need pointing to different vendor
Let's encrypt is not some code or even a company that you can split into different branches. Their existence is one based on trust relations that let's encrypt has with browsers and operative systems. It is in one part similar to both domain names and IP address space, in that the technical aspects of creating alternative roots is almost trivial in comparison to getting the trust that is required for an alternative root to be accepted by the rest of the world.

Let say someone created an Russian Let's Encrypt. It has all the technical aspects as regular LE in that you can request a certificate and get one through an acme challenge. That is all great and all, but no browser will recognize it as valid. No operative system will recognize it as valid. The Russian state might add the new LE as valid for government computers, but the real work would be to get any other participants in the world to do the same. The issue is not a technical one but rather a social one that is built on trust.

When Russia invaded Ukraine there was a major discussion if IANA/ICANN should have disconnected Russia from domain names and IP addresses. That discussion ended on a decision to not do that because the symbolic benefit was deemed minor compared to the harm to the system in large, especially once the war end. If you got two roots, then a domain name or IP address can now suddenly have two locations, and it would be a massive pain to try fix it even if people wanted to fix it. Certificate Authorities do not share this trait since there can be an almost unlimited number of roots and none of them can conflict with each other (assuming no hash collision). If Russia spins up a new CA then people can use that one today if they want to, and they can continue to do so after the war has ended.

Russia already has its own root CA, the issue is that state-owned root CAs are by definition not safe from MITM attacks by the same government.
It is a lunacy, complete delusion to think that privately owned (by oligarchy) root CA that trusted by every web browser and OS on the planet is somehow superiorly safer from the point of state actor attack than those explicitly state owned root CA. You must be livin in fairyland.
It shouldn't be located in Europe (because, as you said, US minions are no better than the US itself). Instead it should move to a neutral country, somewhere like Singapore or Uruguay.
There are other non-US equivalents to Lets Encrypt.
How are they going to enforce this?
It seems that, as soon as you transact with a sanctioned entity, you are globally in breach of the agreement and risking the revocation of all your certificates — also the ones for non-sanctioned countries.

Front matter:

   - it is called a "Subscriber Agreement" and not anything that suggests that its scope is a single certificate

   - it's a "contract [...] regarding Your [...] rights and duties relating to [...] Certificates" - plural
2.1 "Term":

  - "[the agreement] will remain in force during the entire period during which *any* of Your Certificates are valid" - plural
3.1 "Warranties":

  - "[by] requesting, accepting, or using *a* Let’s Encrypt Certificate" - plural
I said hi to an Iranian today. Lets see if LE revokes my website.
the reach is by rough estimates ~2.5–6 million websites globally, 2–5 million of those in Russia and 0.3-1 million in Iran

Whatever USofA, it's not hard to have their own cosmodrome and certificates.

Tangential, in 2026 website certificates feel like nothing, disposable automation artifact, toxic max-security[1], vehicle for those who rent seek, fingerprint.

[1] https://tom7.org/httpv/httpv.pdf

This somehow confirms my gut feeling that digital certificates are mainly a means to enforce exclusion on behalf of the certificate authority ownership. It is a tool to prevent people from taking full ownership and control of whatever is affected by digital certificates, be it software, firmware, hardware, or as in this case SSL/TLS. That's digital tyranny in disguise.
> This somehow confirms my gut feeling that digital certificates are mainly a means to enforce exclusion on behalf of the certificate authority ownership. It is a tool to prevent people from taking full ownership and control of whatever is affected by digital certificates, be it software, firmware, hardware, or as in this case SSL/TLS. That's digital tyranny in disguise.

I think the "digital tyranny" is a side effect, not the main goal. They're "mainly a means" to prevent certain kinds of MITM attacks.

While it seems like certificate authority has the primary control here, the real control lies in browsers and operative systems in which certificate authorities are trusted. Users also have, at least for the moment, control to add or remove certificate authorities, even if that control is slightly less clear for devices like smart phones.

Digital certificates that signs software packages are used to enforce exclusion by some manufacturers. Let's encrypt is not in that space to my knowledge, but it is a place where you the owner do not have the right to determine which certificate authority should be trusted, and generally the only one that is trusted is the manufacturer. Its arguable if we even should be calling such entities a certificate authority, even if they technically are the owner of the root certificate that signs the package.

> the real control lies in browsers and operative systems in which certificate authorities are trusted

Wasn't Let's encrypt a Mozilla child ?

The real control lies at who defines what is trusted.

The entire point of a trust model is to exclude people. That's the stated goal.

If you want encryption without trust, just use self-signed certs.

And now imagine that one of the Trump tantrums contains an announcement of sanctions against the European Union.
He already announced sanctions against Spain. And took them back when Germany announced that sanctions against one EU country meant sanctions against them all.
What in the actual fuck?
This actually makes sense. No freedom for the enemies of freedom.
The uninteresting version of this is “US entity follows US law.”

The interesting version is that Web PKI is not just cryptographic infrastructure. It is also a policy distribution system. A browser trust store, a CA, a subscriber agreement, revocation rules, export controls, and sanctions law all end up in the request path of "can this site speak HTTPS to normal users?"

That does not make Let’s Encrypt uniquely bad. Any CA has some jurisdiction, owners, contracts, root-program obligations, abuse process, and legal exposure. Moving the CA changes the governance surface; it does not remove governance.

But it does mean "just use Let’s Encrypt" is not a neutral answer when protocols, browsers, APIs, app stores, or regulators effectively require TLS. The operational dependency is not only ACME uptime and certificate issuance. It is also jurisdictional continuity.

The hard product question is what failure mode we want:

1. Web PKI: power concentrates in CAs, browsers, and root programs. 2. DANE/DNSSEC: power shifts toward DNS operators, registries, registrars, and governments. 3. Self-signed / TOFU / pinning: power shifts toward application-specific trust and worse UX. 4. Multiple CAs: better resilience, but still bounded by browser trust stores and legal chokepoints.

There is no apolitical trust system here. There are only different control planes with different failure modes.

The practical ask from Let’s Encrypt should be clarity: issuance vs renewal vs revocation, existing certs vs future certs, domain location vs subscriber location, hosting location vs user location, and how they interpret “use” of a certificate. Without that, operators are left guessing whether this is a narrow compliance clause or a broad infrastructure-risk event.

Iran is blocking internet for months, US ...bans creation of secure connections - that'll show 'em!

Russian quasi-government structures are spending quadrillion of rubles on a TSPU (censorship system) to spy on Russian residents, US ...helps them by making snooping on what is currently encrypted traffic possible by banning accessible encryption!

TSPU isn't for spying, it's for censorship enforcement and everything else that makes the experience of using the internet here miserable without a VPN. It's SORM that's for spying. And Roskomnadzor is very much part of the government.
You could look at it equally as the USA saving those citizens because if the authoritarian discover they are using LE they could suffer imprisonment
This is bullshit on par with the Chinese firewall, meant to effectively prevent the (entire!) western world from information by parties deemed persona non-grata. SSL certificates are supposed to be about security, not geopolitics.

I'm pretty sure a LE server hitting an Iranian or North Korean endpoint and validating a crypto challenge does not break any OFAC or EAR rules, and no money changes hands. And if a non-US entity wants to do it, the US would just sanction them. Microsoft and Mozilla are certainly not going to include a North Korean or Russian state CA in the root trusted certs (and if they did, the US government could just threaten them with sanctions, too).

Hard not to say "we warned you" about making self-signed certs completely unusable in favor of a very centralized approach.

Maybe consolidating ~60% of the web's certificates on to a single provider was a mistake.
To be put in perspective with their push for very short live certificates, like 7 days, with the argument that anyone can easily get certificate from at any time.

But in fact, little by little you have all the stacks needed to be able to isolate some entities from internet at the us request in a very short time

Let's Encrypt’s mission is to create a more secure and privacy-respecting web, except for people residing in countries with the most need for a more secure and privacy-respecting web. Sure, that's great.

That said, pretty sure this is stems from the insane US legal requirement to not export SSL technology to enemy countries. I'm sure some of y'all are old enough to remember when web browsers came in "international friendly" versions that supported 40 bit encryption, or "fancy secure" versions with 128 bit encryption.

I mean, noone is stopping someone to clone letsencrypt - it shouldn't be very hard.

Google had a similar dilemma - do they want to offer a (censored) service in China, and have a hope of keeping some marketshare, or not (and be kicked out immediately).

In this case though, it seems to be an unforced move by letsencrypt ? Or was it compelled by LEAs?

  to not export SSL technology to enemy countries
sounds like to not export mathematics
This is why, as someone who works in security and encryption and has implemented web server TLS stacks and such, I still oppose the "always-https" idea.

TLS is awesome, one of the most valuable developments in Internet history. But, it is important to undewrstand that it is a double edged sword. Requiring a CA, which in practical terms means requiring a publicly known CA, is a choke point of freedom.

Yeah, let everybody build and use their own services, and then the US will end up having less control and visibility. Great tactics!