it is ok to use LetsEncrypt free SSL?

Nothing wrong with Let's Encrypt but with them you don't get any warranty like paid ones.

What type of stuff do you have on your SaaS app? Payment taken via your server? Just login/register and company details?

If you DO need one, take a look here, they're so cheap... https://www.ssls.com

@bashy no i don't take payment via my server, just they will login and and see stuff

I don't think you can have wildcard URLs yet so as long as you don't need that, Lets encrypt is great.

On Ubuntu, I use certbot to maintain the certificate https://certbot.eff.org

@Snapey yes i don't have wildcard url and I'm also using certbot maintain my certificate

The thing to remember with certificates, is that the security comes from the encryption, not whether it was paid for and supplied.

I could have a self generated certificate that is more secure than one costing thousands, purely because when i create it a do so with a 4096 bit encryption, instead of the current base default of 20148.

What buying a certificate does do ((depending on the level you buy), is provide additional benefits, such as @bashy mentioned around a waranty.

You can also go crazy, and spend thousands onn one, where the supplier will check your companies authenticity, credit status, history etc. In return you get a 'better' representation of your security (full green bars anyone, lol).

Even an expired certificate, in theory, is just as secure as an expired one, as it is still encrypting the request.... (Disclaimer, depending onn how expired and the encryption used to generate it).

So to answer your question, yes LetsEncypt certs are fine for security,m but if you want a visible 'status' of your security, be prepared to splash out a few hundred ££

yaa i think so its all about warranty but, if i using free ssl it's common perception in user mind that we are not concerned about security because we not spend some $$ on certificate in simple word if something is free then that's not good

And sadly, that's the end result of good commercial strategies by those who sell the certificates... (and a handful of others involved in the web.. cough Google cough)

Teach the public that only the big nice ones are secure, then companies will have to buy them instead of creating them ;)

Actually had this with a client a few years back, who was insisting on a £1400 Verisign (now Symantec), for his simple internal doc system, as it was definitely going to be more secure than the self-signed one we created!

We showed him the facts, he argued, we tried to convince him some more, he got nasty.... we gave up and charged him way over the odds to install it, as it was 'big and complicated' lol, cant teach some people.

When it comes down to it, there are only two options; EV Cert or non-EV cert. The difference is in the green verification colour etc.

This EV only means that it is owned by the business mentioned in the certificate and not many users actually appreciate the difference.

Of the non-EV certs, its impossible for most people to even see who the certificate was issued by. In Chrome you can only find this out by going into developer tools.

So, the only question in terms of how much to spend is, do you need to prove you are who you say you are.... which is fine for banks.

Everything else is marketing hype.

I comparing Ssl price from different different website and i see what, its very price different some website. for combo some website provide only in 5$ some 10$ so why its different, during buying ssl what should i compare

Just use Letsencrypt

Seconded, if security is your only concern (it should be), then LetsEncrypt is more than adequate.

The problem with LetsEncrypt is that it will most likely fall out of grace relatively soon. That means LetsEncrypt certificates will also generate the 'Untrusted site, are you sure you want to continue'-warning just like a self-signed one, which won't defeat the purpose of the certificate, but will make public perception rule against you.

There are a few reasons for this, but in a nutshell: paid certificates involve some kind of human interaction or extended validations. Even for the simple Comodo Essential certificates, Comodo runs the requested certificate through a set of validation rules and denies the application if it doens't pass the tests.

Now, for LetsEncrypt, there are no such checks. You want a certificate? Sure, here you go. You want it for www.paypal.com.somerandomstring.com? Sure, here you go. The ease with which phishing sites are now 'secured' is astonishing.

The problem lies in the public perception. The site is SSL-secured, therefor the site is to be trusted. And because us smart cookies need to protect the easily persuaded part of the population that doesn't really have indepth knowledge of this stuff, before long Mozilla and Google will start handing out warnings.

The ease with which phishing sites are now 'secured' is astonishing.

Lets Encrypt changes nothing. All that is required to get an SSL certificate is to prove you own the domain. The issue of trust and implied 'reputation' is a non-argument.

The real issue is that the certificates are free so there is no cost impediment to registering a bunch of domains and creating SSL certificates for them.

Let's Encrypt is enough for the majority of projects. Remember that a paid SSL certificate is justified only in a few select cases when it adds value to the project.

No fret about it. Just use it from the start for all your pages. If a site needs more for any kind of verification reasons, then deal with that when it is needed. For now, just encrypt all connections, and what better way to do that than with a free SSL provider that, TBH, is respected greatly for what it has done for the industry.