The zerossl.com CA is supported by acme.sh

Zerossl.com is another ACME compatible CA.
It supports unlimited free certs, including SAN cert and Wildcard certs. (ECC certs will be online soon)

And acme.sh just supported zerossl.com. See the usage:

2 Likes

The pricing page seems to indicate you can only get up to 3 non-wildcard certs for free.

1 Like

@Neilpang

Thanks to your efforts, acme.sh continues to expand and improve. It is an awesome script. I don’t think much about this particular CAA, but adding this functionality to acme.sh is forward thinking and a good move.

Excellent Work.
Rip

2 Likes

I saw something from them in chat which might suggest that could change? Not sure whether it’s more about removing EAB requirement, or loosening up the certificate constraints:

We now have a working ACME server at https://acme.zerossl.com/v2/DV90 . We are working with our upstream certificate provider to open it up completely, but for now it requires EAB credentials.

Anyway, it makes sense for acme.sh to have first class support for ZeroSSL - apilayer does own them both.

The more ACME, the merrier. If we get to a point where there’s a reasonable choice between providers, even if many are commercial, I think that is going to be a positive.

2 Likes

Wait, really? apilayer took over acme.sh? The GitHub repo still appears to be owned by @Neilpang.

1 Like

I had forgotten about that, but it happened back in January:

4 Likes

I didn’t know this either. I vent looking for acme.sh’s license, and I found a GPLv3, but no license notice that would tell me who the copyright holder is.

Now that it has a full company behind I can complain about missing features without feeling like an asshole.

I really don’t understand why doesn’t apilayer advertise these acquisitions. On their website, they’re not there.

3 Likes

Might be https://zerossl.com/features/acme#clients

Not clear what it exactly means though

3 Likes

No, I mean… https://apilayer.com/#products

Where’s the acme stuff? Where’s even the CA stuff?

2 Likes

The pricing page is for UI users. There is no limitation upon ACME clients.

6 Likes

Yes, apilayer bought acme.sh project, but I’m the only maintainer. And the project license is not changed.

7 Likes

Thanks for clarifying Neil, that’s really good to hear.

I was able to issue a multi-domain wildcard certificate using a free ZeroSSL account and the EAB credentials it gave me, worked like a charm!

6 Likes

I’ve been toying around with supporting ZeroSSL for the ACME client I’m working on (Ansible’s acme_certificate module) around three weeks ago, and had some problems. I’ve tried contacting ZeroSSL’s support, but so far I only got two automatic replies (“We are really sorry for the delay in response, but due to the recent re-launch of the ZeroSSL platform our support team is really busy. / Today we launched a new self-service Help-Center which should give you the answers to your questions.” - I really wonder whether any of these two dates is actually the “today” from that sentence). Maybe someone here (@Neilpang?) has a better contact to their team, so here are my problems:

  1. Bug: when not passing a contact email when calling the newAccount endpoint, the error urn:ietf:params:acme:error:externalAccountRequired is returned. (This kept me looking at my EAB code for a couple of hours until I figured out that it’s just the error message that’s wrong.)
  2. Improvement: it would be good if no contact is required if "onlyReturnExisting": true is passed to the newAccount endpoint.
  3. Improvement: when successfully validating a challenge for a one-domain order and calling finalize while the CAA does not allow zerossl.com to issue a certificate, the order object’s state changes to invalid without any error message. A helpful error message would be a lot better.
1 Like

Perhaps try send it to Sectigo support as well? A bit closer to the people who need to see it.

Nice finds.

2 Likes

@az_ is zerossl.com’s ACME server operated by Sectigo, or do they use Sectigo ACME server software? I was not able to find information on that anywhere.

1 Like

I will try to forward your comment to Zerossl team.

Thanks.

2 Likes

Thanks a lot for the detailed report about the bug with the error message as well as the two suggestions for improvement. I’ll forward these to our partner (Sectigo).

Best,
David (ZeroSSL)

2 Likes

@Neilpang @dspd thanks a lot! :slight_smile:

2 Likes