How secure is "Let's Encrypt"?
Try "acme-tiny"
There is an alternative "Let's encrypt"-client project called "acme-tiny".
It is less automated, but smaller. In their own words:
This is a tiny, auditable script that you can throw on your server to issue and renew Let's Encrypt certificates. Since it has to be run on your server and have access to your private Let's Encrypt account key, I tried to make it as tiny as possible (currently less than 200 lines). The only prerequisites are python and openssl.
Also: regular client in manual mode.
If you trust the general letsencrypt client, but only want to manually create the CSR, you can follow the steps outlined here:
- Thomas Pircher, tty1.net, 2015-12-03, Using Let's Encrypt in manual mode (Archived here.)
And the heart of this idea is this line:
letsencrypt certonly \
--authenticator manual \
--server https://acme-v01.api.letsencrypt.org/directory --text \
--email [email protected] \
--csr signreq.der
For instance the procedure never asks you to create a private key, instead they magically create one for you.
I know cryptography is magic, but in this case it is also secure... :-)
Because when using a Let's Encrypt client the key pair is generated locally on your server and not send to Let's Encrypt servers* - in contrast to some other commercial CAs, which did/do generate the key pair on their own servers. If you doubt you should check the source of the client you are using.
I'm more worried about about security of the certificate and the resulting encryption.
The "resulting encryption" depends entirely on your certificate & ssl/tls configuration and does not depend on the CA you use (= Let's Encrypt). As the official LE client creates 2048bit certificates, I can say these are secure. Everything else depends on your config.
*There are some exceptions trough, but these are very rare. There are some web browser clients, which generate the private key in your browser, but you can easily circumvent this: Use a real (offline) client or e.g. do it manually with https://gethttpsforfree.com/.