Yes! I saw that in the browser console. I don’t know where report it in order to get fixed. I tried to use certbot localy but can’t make it work.
1 Like
No, there haven't been any intentional changes to the CORS policy. We'll investigate. Thanks,
4 Likes
That is always checked by the browsers. Previously that header was in place, with a wildcard as a value, so any origin could pull the API. If that is gone, that effectively disables using the API from the browser.
3 Likes
Ah, thanks. Never checked that.
1 Like
Thank you... I've tried everything today. But always blocked by this issue.
I've tracked the problem down to a configuration cleanup that accidentally disabled CORS policy. I'm working on getting a fix deployed now. Apologies for the disruption and thanks for flagging it!
6 Likes
Thanks 
I have actually even quick-checked boulder repo - that header was still supposed to exist by the look of it (and it’s even included in the tests), so was surprised to see that it is not returned.
2 Likes
Amazing! Let us know when is back please. And thanks!
3 Likes
Hi @mhughe29
I’ve edited your title. So users with the same problem are able to find this topic.
6 Likes
We're working on reverting the problematic change in the staging environment now. That should be done within the next 30 minutes. We'll do the same in the production environment within the next hour and a half or so. I'll update this thread as progress happens.
7 Likes
Yup 
The root cause here was a small configuration tidy-up I made last week: I had spot-checked my work to check the fields weren't being used but I must have made a mistake and failed to see the "allowOrigins" configuration was used by the CORS handling code. We also missed this when deploying a matching configuration cleanup change to staging/prod.
We had unit tests for the CORS header behaviour but because the problem was at the level of the web front end process' configuration and unit tests are performed at a lower layer the regression was missed.
In the process of fixing the example configurations we use for Boulder development/CI I've added a small integration test to make sure my fix had the intended effect (and to hopefully guard against the problem in the future).
Thanks again for flagging the problem.
3 Likes
The fix is in staging now.
3 Likes
sslforfree is working
cert renewed perfectly
Thank you Admin for the quick turnaround. I’ve worked in IT and something like this often would have been postponed by management until maintenance hours. My site cert would have expired by then.
And Thank you to Let’s Encrypt for your site. I appreciate your work.
2 Likes
https://gethttpsforfree.com/ is working now too! Great job @cpu
2 Likes
The fix is now deployed to both production and staging.
Thanks for the confirmations & your patience while we fixed our regression. 
4 Likes
same problem with safari and internet explorer, I tried all except firefox
the same here. Also tried to contact through zerossl contact form but no replies yet
Hi @Lore,
I think @JuergenAuer's suggestions to try different browsers was from before we realized there was a problem on the Let's Encrypt side. That problem is now fixed and you should be able to use ZeroSSL
again now without errors. Can you retry and let us know if you have a different error?
3 Likes
I believe the problem is now resolved - ZeroSSL.com can now retrieve the directory again. But it would be good if the original poster could confirm indeed.
4 Likes
Thanks a lot!!! I will be around to know when it is fixed. Many thanks to all!!!