ZeroSSL and sslforfree changes: What you need to know

ZeroSSL and sslforfree no longer issue certificates using the Let’s Encrypt API. Previously, these clients provided certificates issued by Let’s Encrypt and valid for 90 days. Recently, these clients were acquired by another service and have since dropped support for issuing Let’s Encrypt certificates. ZeroSSL now runs a Rest API, used by both clients, that issues certificates from a different Certificate Authority.

If you set CAA records that enable issuance from Let’s Encrypt and prevent issuance from other Certificate Authorities, you will need to update those records to allow issuance by the Certificate Authority used by the ZeroSSL API. You can read more about their CAA requirements:

If you are using either of those clients to get certificates and experience issues, please visit the ZeroSSL help pages to get support.

In addition to the change of underlying CA, these services now offer subscription plans with differing levels and offerings. Their free base offering does not include wildcard certificates or multi-domain certificates. If you are affected by this change and cannot renew your certificates, an alternative option is It requires some technical knowledge to use, but can help you renew your certificates so you will have time to find another solution. You can read an evaluation of this web-browser client and an overview of others here: Web browser based ACME clients.

However, we do not encourage using a web-browser client as those necessitate a manual renewal - at Let’s Encrypt, we are all about automation in order to reduce the risk of missed renewals. If you want to continue using Let’s Encrypt certificates, check out any of the clients on our website:

Let’s Encrypt is a free, automated, and open CA, run for the public’s benefit. We give people the digital certificates they need in order to enable HTTPS for websites, for free, in the most user-friendly way we can. For more information about Let’s Encrypt, visit: