Arstechnica reports
In July of 2017, the nonprofit certificate authority Let's Encrypt promised to deliver something that would put secure websites and Web applications within reach of any Internet user: free "wildcard" certificates to enable secure HTTP connections for entire domains. Today, Let's Encrypt took that promised service live, in addition to a new version of the Automated Certificate Management Environment (ACME) protocol, an interface that can be used by a variety of client software packages to automate verification of certificate requests.
[....]Many hosting providers already support the registration of Let's Encrypt certificates to varying degrees. But Let's Encrypt's free certificate offering hasn't been snapped up by some larger hosting providers—such as GoDaddy—who also sell SSL certificates to their customers.
(Score: 2) by urza9814 on Wednesday March 14 2018, @06:35PM
Yup. I did own a commercial cert before I started using LE. I bought it from the same company where I purchased my domain, which would have made proof of ownership rather redundant...but IIRC they made no attempt to validate anything at all. I'm sure their backend did some check to confirm that the cert and the domain were owned by the same account, but that was probably it.
So perhaps with LE they could get a fake cert by doing a MITM somewhere between your server and LE's...but with a commercial cert they could probably do the same, or MITM your login to the registrar, or phish your account details...so overall the security seems about the same. Also I think once you get LE set up once, as long as you renew before the cert expires, that existing cert will be used to secure the connections when requesting a renewal. So that might help. Not entirely sure though.