What suddenly changed with ZeroSSL?

The path /.well-known/pki-validation has been used by Sectigo for DV, so maybe this means that ZeroSSL is now trying to issue you a Sectigo certificate instead of a Let’s Encrypt certificate?

1 Like

The path /.well-known/pki-validation is used by various places. For example, I went ahead and purchased a 1 year cert from my GoDaddy reseller account so I could finish up this one site today. They also use /.well-known/pki-validation.

doug

2 Likes

Please see my post from last year, which I believe explains the change. I understand that new interface might be unexpected, but ultimately new ZeroSSL should offer more features, which might not quite fit into an old look. In any case, I think writing to support if something does not work as conveniently as you expect it to could initiate some changes. I hope that helps.

2 Likes

Hi! that is not completely true… Yes now have some new features but now ZeroSSL is not for free p.e. for wildcard domains. It was a option that i was using and now i have to pay at least 10 box monthly…

Any one knows other web based option to generate free wildcard Letsencrypt SSL certificates?

Thanks!

1 Like

You can still use a portable client app (documentation):

le64.exe --key account.key --email "my@email.address" --csr domain.csr --csr-key domain.key --crt domain.crt --domains  "*.domain.ext,domain.ext" --handle-as dns --generate-missing --live

If you believe that something should be changed about the features offered on ZeroSSL.com, just get in touch with them - the team behind it is good and rather responsive. Since it has been just launched with a new look and functionality, proper feedback would help it grow and improve further.

Thanks. I’ll give them a try for now.

1 Like

This path is required by the Ten Blessed Methods, 3.2.2.4.6 Agreed‐Upon Change to Website says that the CA must use either /.well-known/pki-validation or (as is the case for ACME and thus Let’s Encrypt) some other path standardised for this purpose by IANA. The updated 3.2.2.4.18 also requires the same path.

So every CA offering “put a file on your web site” as validation is either using this path or ACME.

2 Likes

The sslforfree.com seems to be run by zerossl. I’ll try the other one.

doug

1 Like

And I can’t get https://gethttpsforfree.com to work.

1 Like

@douglerner just out of interest, you may have answer this already: why are you issuing your certificate this way?

1 Like

In the meantime, I bought a year’s certificate from my GoDaddy reseller account for $30 and installed it. It was getting too cumbersome.

The reason I’ve been using the web interface, like with ZeroSSL, is because my server is very non-standard. While it uses Apache style cert formats, it’s not a standard web server running on Linux. It’s a special web server + object-oriented database server that’s stand-alone and runs on Linux, with users, forums, and other features. It has a built in HTTP server of it’s own.

So until we can update it to automatically use Let’s Encrypt (like I can with my WordPress accounts) I have to manually get cert updates and enter them into the control panel of this server.

That was very easy to do with ZeroSSL. And it’s easy to do when I buy a cert via GoDaddy.

2 Likes

Ah, I understand. Yes it can get quite difficult to manage. I’m interested because I’m adding new Deployment Tasks to https://certifytheweb.com (a Windows app) which can distribute certificates to various local and remote services and I wondered if there was a new use case here. If your server supports copying to file shares, an API, or ftp or ssh/sftp there’s generally a way to do it but I can see why it’s just easier for you to buy a cert.

1 Like

Our server supports various APIs and I’m sure we can automate it somehow. It’s just a matter of finding the time to dig in and do it. It would definitely be worthwhile.

doug

1 Like

You could still use the command line windows app (no installation required) to have the same experience as you had with the web interface (since it can run both in interactive and non-interactive mode, plus a “delayed” one) and automate the process once you have time to do so.

1 Like

Can that be done on a Mac?

As far as I remember, Perl was included into the set of scripting languages MacOS comes with (at least that was the case before Catalina I believe), so you could just give it a go with using cpan to install the Perl client instead of the binary.

Wait a sec guys. What do you mean nothing changed. We now have a limit of 3 90days certificates. That’s a huge change

If that is all you have to do, and (i) you are running a Mac locally, (ii) you have other websites that run wordpress… I suggest the following:

  1. On another internet connected server, install ACME-DNS (https://github.com/joohoi/acme-dns)
  2. On your Mac, run Certbot with DNS authentication via the the ACME-DNS certbot client (https://github.com/joohoi/acme-dns-certbot-joohoi)

You will have to configure your domain’s DNS one time, to point to the ACME-DNS server you configured. After that, all configuration and authentication will be done by the certbot plugin on the ACME-DNS instance.

The LetsEncrypt server also follows HTTP redirects, so you may be able to have your specialized webserver redirect everything in /.well-known to another server you can control. I am a big fan of acme-dns though, and using it will give you the chance to use wildcard certificates.

1 Like

I have been using “Zero SSL” for probably a couple of years, maybe longer, for a shared hosting that I use for testing purposes. Earlier this year I had to renew the certificate via a tablet and there was an issue in that every time that went away from the tab I lost all the data, so I started to use “SSL for Free” that did not have that issue as you could call back all the date. The site was also cleaner and easier to use.

A couple of weeks ago I had to renew the certificates and found that initially that they were only showing validation of the site by DNS so I sent them an email. In the meantime I went back to ZeroSSL and found that there site had changed and was more or less identical to SSL for Free. Though I never had a response to that email I did receive one stating the SSL for Free had joined up with Zero SSL and that my existing password would no longer work, though the account is still operational, and I would have to renew it. This I did. They had also now provided browser authentication so I assume that this was just a minor issue that they had.

SSL for Free does not support wild cards or multiple domains unless you buy a certificate. This is a pity however if you return and go through the procedure again with just one sub domain it will. Very long winded if you need several certificates. However authenticating by pki-validation is a well know method and I have used before so not an issue.

The certificate is not issued by Lets Encrypt but by Zero SSL. There is no reference to LE anywhere so I assume that they have dropped LE. In an earlier posting somebody mentioned that Zero SSL had bee acquired by another company and the same is probably the same for SSL for Free. I would hazard a guess that they are using the free certificates, and limiting them to no multi domains or subs, as a way of contacting prospective users and then selling them a certificate. It does make good sense if you have bought a company and then want to generate revenue from it.

1 Like

Hello, this is my first post here. So hopefully this is not out-of-place.

I’ve been using ZeroSSL on some poorly-configured servers for awhile, so not being able to use it leaves a bit of a void in my workflow. If there is not a good alternative to ZeroSSL in the next month or so, I’m probably going to try making a new website that can issue certs via the web browser.

1 Like