You can. You can also continue to use private CAs, which presumably could be used to add more options if something happens to Let’s Encrypt.

Let'sEncrypt is still a third-party entity.

From my original comment,

>Just to preempt misunderstanding: HTTPS is great. But HTTPS only, with no option for HTTP is very much worse than HTTP+HTTPS for human people. Despite being great for for profit companies and institutions.

Using LE is great. It's problematic that literally everyone uses it but it's better than it not existing. But using LE does not solve the problem of not being able to use plain HTTP.

Not for LAN only personal websites.

Dumb question, but how is HTTP important on local, switched networks? I have a single switch and don’t fear local MitM. I was under the impression basic HTTP is mostly fine then. Other parties, even on that same switch, won’t be able to listen in (a network hub would allow this).

Some web features are only available on HTTPS and browser really discourage users from entering websites with self-signed certificates.

See: https://developer.mozilla.org/en-US/docs/Web/Security/Secure...

I don't get what you're asking. Why is HTTP/S important?? I don't know how to answer that for you. Security is important regardless of where it is at. Defense in depth, at multiple layers. I don't fear MITM on a local only HTTPS server, I might not trust other devices/traffic on my network that scoop up _everything_ it can, and being in plaintext, would expose more than I want. I trust my services and devices. I don't trust everything on the network especially devices that are not mine, or that I have no control over (set top boxes, Roku TVs, Sec Cameras/NVRs, etc). Of course I have other controls and protections in place, but I trust and WANT LOCAL HTTPS on my services in addition to those.

> I don't fear MITM on a local only HTTPS server

> I trust my services and devices

That is exactly the point. You trust your local, possibly dumb aka unmanaged switch. It's a little piece of silicone with no funny business going on.

Now if you plug a trusted device A as well as an untrusted device B in, the untrusted device won't see any traffic meant for device A:

https://wiki.wireshark.org/CaptureSetup/Ethernet#switched-et...

Point being: as long as you trust all network devices from a trusted machine to another, on a switched Ethernet network, no other device will see any of that traffic at all, on a fundamental, low OSI level. It's not even about HTTP/S at that point yet. All this is untrue for WiFi, where you will want HTTPS indeed.

I'm not advocating against HTTPS at all. I use it as much as possible. But it might actually not be necessary, locally under the right circumstances.

Why not just self-sign for that? Outside of using it to test configurations or deployments, SSL seems a lot less necessary if it's just inside a LAN and all the clients are known.

Some services don't work without HTTPS or transport security. Sometimes, I want transport security on traffic for various reasons. Current mainstream browsers are also refusing to connect to 'self signed certificate' HTTPS sites because they're 'insecure' and continually are disallowing you the user to bypass these 'protections'.