ZeroSSL portable 0.30 how to accept ToS


My domain is:

I ran this command:

My web server is (include version):
Apache 2.4

The operating system my web server runs on is (include version):
Windows Server 2016

I can login to a root shell on my machine (yes or no, or I don’t know):

I followed the directions from here:

Not sure if this is more of a ZeroSSL thing or an ACMEv2 thing, but I’m trying out ZeroSSL’s portable win64 client to generate a wildcard cert (v 0.30) and it keeps failing at ‘must agree to terms of service’. I can find no standard command to agree unattended, and there’s no popup or prompt. What am I missing?

This is an initial registration so I’m including an email addr. intent is to have ECC keys generated. All files (except the cert) generate fine. The following is latest example (redacted):

le64.exe -key account.key -email "" -csr -csr-key -crt -domains “*” -generate-missing -handle-as dns -api 2 -curve default -live

2018/03/16 11:26:23 [ ZeroSSL Crypt::LE client v0.30 started. ]
2018/03/16 11:26:23 Loading an account key from account.key
2018/03/16 11:26:23 Loading a CSR from
2018/03/16 11:26:26 Registering the account key
2018/03/16 11:26:26 must agree to terms of service


Hello @lordcochise,

This is likely to happen only when new account key gets created and only against the API v2. This is going to be fixed in the version 0.31, which is already being tested and should be released either later today or tomorrow. Meanwhile re-running the client might make that issue go away.


Use the above command but just change -api 2 to -api 1

le64.exe -key account.key -email "" -csr -csr-key -crt -domains “*” -generate-missing -handle-as dns -api 1 -curve default -live

It will fail because api 1 doesn’t support wildcards but it will register your account and will agreed the terms, now just change -api 1 to -api 2 and try again:

le64.exe -key account.key -email "" -csr -csr-key -crt -domains “*” -generate-missing -handle-as dns -api 2 -curve default -live

@leader, could you please take a look?, seems that using -apì 2 doesn’t agree the terms of service.



I didn’t see your post before writing mine :wink:


Thanks for your response - I went ahead and generated an account using ACME V1 for a different domain we own, it allowed the key to be registered, then I tried the above command again, key already registered, seems to go through now with * request now. :smiley:


Great workaround suggested with flipping api to 1 and back btw :slight_smile: This should be fixed shortly. Previously in v1 new-reg would have successfully created an account without the terms agreed and then the next call would be to actually agree to TOS. In v2 newAccount errors back though if TOS is not accepted within that call, which basically makes agreeing to TOS as a separate step obsolete. Not entirely sure if that approach is better, but perhaps it allows avoiding having too many “incomplete” accounts…


The release page for ZeroSSL Windows binaries has now been updated with v0.31.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.