What suddenly changed with ZeroSSL?

Hi @douglerner

ask ZeroSSL.

That’s a service that has nothing to do with Letsencrypt. The service uses Letsencrypt, nothing else.

So that service may have changed something. That’s their decision.

2 Likes

I guess so. It used to be so convenient though. I was in a rush just now and didn’t have any other options so I went ahead and bought an SSL cert for the site I was working on.

One weird thing about ZeroSSL - they now say if you are a premium member you can get 1 year Let’s Encrypt certs.

Since Let’s Encrypt is always 90 days (that hasn’t changed, right?) I’m guessing that ZeroSSL has suddenly changed and no longer uses Let’s Encrypt. The validation directory has also changed from ./well-known/acme-challenge to ./well-known/pki-validation.

Are there other services that help you get a Let’s Encrypt cert via a browser like ZeroSSL used to until today?

Thanks,

doug

1 Like

ZeroSSL got bought by apilayer, who have been going around and snapping up various ACME-related projects.

Other web-based ACME clients I know of:

3 Likes

The path /.well-known/pki-validation has been used by Sectigo for DV, so maybe this means that ZeroSSL is now trying to issue you a Sectigo certificate instead of a Let’s Encrypt certificate?

1 Like

The path /.well-known/pki-validation is used by various places. For example, I went ahead and purchased a 1 year cert from my GoDaddy reseller account so I could finish up this one site today. They also use /.well-known/pki-validation.

doug

2 Likes

Please see my post from last year, which I believe explains the change. I understand that new interface might be unexpected, but ultimately new ZeroSSL should offer more features, which might not quite fit into an old look. In any case, I think writing to support if something does not work as conveniently as you expect it to could initiate some changes. I hope that helps.

2 Likes

Hi! that is not completely true… Yes now have some new features but now ZeroSSL is not for free p.e. for wildcard domains. It was a option that i was using and now i have to pay at least 10 box monthly…

Any one knows other web based option to generate free wildcard Letsencrypt SSL certificates?

Thanks!

1 Like

You can still use a portable client app (documentation):

le64.exe --key account.key --email "my@email.address" --csr domain.csr --csr-key domain.key --crt domain.crt --domains  "*.domain.ext,domain.ext" --handle-as dns --generate-missing --live

If you believe that something should be changed about the features offered on ZeroSSL.com, just get in touch with them - the team behind it is good and rather responsive. Since it has been just launched with a new look and functionality, proper feedback would help it grow and improve further.

Thanks. I’ll give them a try for now.

1 Like

This path is required by the Ten Blessed Methods, 3.2.2.4.6 Agreed‐Upon Change to Website says that the CA must use either /.well-known/pki-validation or (as is the case for ACME and thus Let’s Encrypt) some other path standardised for this purpose by IANA. The updated 3.2.2.4.18 also requires the same path.

So every CA offering “put a file on your web site” as validation is either using this path or ACME.

2 Likes

The sslforfree.com seems to be run by zerossl. I’ll try the other one.

doug

1 Like

And I can’t get https://gethttpsforfree.com to work.

1 Like

@douglerner just out of interest, you may have answer this already: why are you issuing your certificate this way?

1 Like

In the meantime, I bought a year’s certificate from my GoDaddy reseller account for $30 and installed it. It was getting too cumbersome.

The reason I’ve been using the web interface, like with ZeroSSL, is because my server is very non-standard. While it uses Apache style cert formats, it’s not a standard web server running on Linux. It’s a special web server + object-oriented database server that’s stand-alone and runs on Linux, with users, forums, and other features. It has a built in HTTP server of it’s own.

So until we can update it to automatically use Let’s Encrypt (like I can with my WordPress accounts) I have to manually get cert updates and enter them into the control panel of this server.

That was very easy to do with ZeroSSL. And it’s easy to do when I buy a cert via GoDaddy.

2 Likes

Ah, I understand. Yes it can get quite difficult to manage. I’m interested because I’m adding new Deployment Tasks to https://certifytheweb.com (a Windows app) which can distribute certificates to various local and remote services and I wondered if there was a new use case here. If your server supports copying to file shares, an API, or ftp or ssh/sftp there’s generally a way to do it but I can see why it’s just easier for you to buy a cert.

1 Like

Our server supports various APIs and I’m sure we can automate it somehow. It’s just a matter of finding the time to dig in and do it. It would definitely be worthwhile.

doug

1 Like

You could still use the command line windows app (no installation required) to have the same experience as you had with the web interface (since it can run both in interactive and non-interactive mode, plus a “delayed” one) and automate the process once you have time to do so.

1 Like

Can that be done on a Mac?

As far as I remember, Perl was included into the set of scripting languages MacOS comes with (at least that was the case before Catalina I believe), so you could just give it a go with using cpan to install the Perl client instead of the binary.

Wait a sec guys. What do you mean nothing changed. We now have a limit of 3 90days certificates. That’s a huge change