How do you use Certbot with FreeSSL.org?

I'm using Certbot 1.21.0 and attempting to get a certificate from FreeSSL but they don't provide EAB (that I am aware of) so I am unsure how I need to authenticate with them. There are various mentions on this forum that they support ACME v2 and on their own website however the only documentation provided is for a REST API that requires the X-Auth-AccessKey and X-Auth-Username headers be set, which would require me writing a Certbot plugin to do this.

I feel like I am missing something obvious here, how do I use Certbot with FreeSSL?

1 Like

Certbot can't work with the REST API, it requires an ACME endpoint.

If the FreeSSL site doesn't offer that information, I think it's probably the quickest way to ask them directly.

By the way (and offtopic), I'm not sure if I'd trust a company which places a label for Thailand in the geographic location of Spain (almost every label is placed incorrectly..):

:scream:

7 Likes

Makes me wonder how they meet this section:

  1. COMPLIANCE AUDIT AND OTHER ASSESSMENTS

From:

Baseline Requirements for the Issuance
  and Management of Publicly‐Trusted
            Certificates

            Version 1.8.0

Copyright 2021 CA/Browser Forum

One can find Baseline Requirements Documents (SSL/TLS Server Certificates) here.

Like where would the Thailand CSR have to come from? :rofl:
Got get the GPS coordinates correct as well as its IP Address.

4 Likes

One correct out of seven isn't too bad, is it? :rofl:

5 Likes

That's just the TOR exit node - ROFLMAO

5 Likes

I did notice the map and some obvious spelling mistakes; lack of documentation without a paid plan and what not but was hopeful it was just poor website design or something. It seems they are running a dubious product given they claim ACME client compatibility but their documentation -- which is only available on a paid plan -- is just a PDF of a REST API. It doesn't contain the text "ACME" or anything within it. I've contacted support (with on reply) via the landing page popup which is the only option but at this point I'm ready to just call it quits with them.

The reason I tried them out was because Let's Encrypt has a limit (as they should) on cert issuance volume per week which I need to exceed; ZeroSSL is alright but they have constant 504 gateway issues for days or weeks at a time which render the service unusable and their own support team is aware of this issue but in their words they do not know what is causing it so that's a vote of no confidence in running a service, in my opinion.

Is anyone else aware of a provider with a paid tier that isn't ludicrous and that is reliable? There are many paid certificate providers out there but you know they charge $100 per certificate and the like. BuyPass which is like Let's Encrypt, and ZeroSSL might have an offering coming out in January next year but failing that I don't know of any other option apart from becoming a CA ourselves which is... well a very heavy handed solution I think.

3 Likes

Another option is to ask for an exemption of the Let's Encrypt rate limits. That does take a few weeks to process, but might be an option.

6 Likes

Could you elaborate a bit on that, please? For how much new domain names do you want to generate certificate per week?

6 Likes

Can give this avenue another pop, tried it before but no response as far as I was aware.

1 Like

Over the span of production, staging, and development in the order of hundreds per week. We cannot use wildcards for security reasons.

2 Likes

btw it looks like freessl.com (site and domain's whois say this is something digicert) and freessl.org is different entity: which of them is this thread talking about?

5 Likes

I believe that the domain names are generated, there are so many. Have you thought about a pool of names that you can reuse later on? Also, you may want to have different base domain names for those environments. For example: example-devl.com, example-qa.com, example-prod.com. That will immediately cut the per base domain requirement by three.

5 Likes

FreeSSL.org is the one I am talking about.

2 Likes

Depending upon what, specifically, you are doing, joining the public suffix list might be a solution. You should try @Osiris's suggestion first though:

Per the public suffix list website:

Let's Encrypt uses it for rate limiting applications to their CA. If you just need an exception from their rate limits, please do not request a change to the PSL, but instead use their form (what @Osiris means), linked from their documentation. This is a faster way to achieve what you want, and the PSL is really not intended as a means to work around third party limits.

4 Likes

Note that the public suffix list is not a solution for Let's Encrypt rate limit issues. Or more appropriate the other way around: LE rate limit issues is not a valid reason to apply for the public suffix list. Please make sure the reason(s) you're applying for the public suffix list are valid before applying. (If you have any valid reason and decide to apply for it.)

5 Likes

Freessl.org - Reviews | Facebook

4 Likes

FreeSSL.com has unsecure images on their site. That doesn't say much for them if they can't secure their own homepage. And this is a little concerning - from their website:


Sign up to hear from us when FreeSSL is available
Got it! We'll let you know when FreeSSL accounts are available.

In the meantime, check out our free product trials
By submitting your email, you agree to the Digicert Privacy Statement


All their "free trials" range from 21 to 30 days and then give a "monthly" fee based on a 3-year purchase.
The only certs they show on their website are:

  • GeoTrust
  • DigiCert
  • Thawte
  • RapidSSL

I didn't noticed any mention of LE certs on either site. They'd rather you buy multi-year certs from them.

4 Likes

But this topic is about FreeSSL.org, which is apparently a different thing altogether.

4 Likes

Yes, but on the FreeSSL.org site is this:


We are announcing perfect package for you freessl Providing you with a hesitate free SSL service we take words look the believable.


What the heck is that supposed to mean? This doesn't sound legit either.

6 Likes