Caddy was posted on the ZeroSSL website

I noticed that a new free certificate project called ZeroSSL has started working:
https://zerossl.com/

ZeroSSL was one of the sites that can issue Let’s Encrypt on the web,
Recently became my own CA. Highly certified by Sectigo.

Caddy is displayed in the list of ACME Automation on this page:
https://zerossl.com/features/acme/

Perhaps we haven’t got a way to issue ZeroSSL with Caddy yet,
but that will be revealed later by ZeroSSL.
Perhaps we could consider adding related Caddy features.

1 Like

It looks like they limit you to 3 free certificates. I don’t understand why anyone would choose this over LE.

1 Like

Yes. I’ve already seen some sites with the same criticism. Many will keep Let’s Encrypt.
Or will this be avoided if issued by a third party, including Caddy?

For now, anyone who wants to choose ZeroSSL will be using a freely provided subdomain.
For example: https://freedns.afraid.org/
Some of them are suffering from Let’s Encrypt rate limiting.

Yeah that’s cool. It’s really good to have multiple ACME CAs, with some feature diversity. ZeroSSL offers things that Let’s Encrypt doesn’t, like longer-lived certs (which is appealing to businesses, despite the anti-pattern), monitoring, and probably higher rate limits and such.

3 Likes

For example, if Caddy notices that there is a Let’s Encrypt rate limit on a domain, it may want to issue it with ZeroSSL.
It would be ideal to be able to select Let’s Encrypt and ZeroSSL certificates by domain, in case the user knows that in advance.

There are still some who are choosing paid certificates.
Let’s Encrypt is good enough for many people (especially web developers),
but there are many who are happy with ZeroSSL.

This is 100% supported! Per site:

https://caddyserver.com/docs/caddyfile/directives/tls

Or as a global default:

  • acme_ca specifies the URL to the ACME CA’s directory. It is strongly recommended to set this to Let’s Encrypt’s staging endpoint for testing or development. Default: Let’s Encrypt’s production endpoint.

https://caddyserver.com/docs/caddyfile/options

1 Like

Currently Caddy v2 (via CertMagic) switches to the LE staging endpoint if an error is hit, so hitting rate limits should be very rare if not impossible (as long as you have Caddy’s storage directory persisted, and as long as you don’t have multiple Caddy instances running that fetch certs for the same domains, and that are not sharing the same storage).

2 Likes

Wow! Great!! :smile:
if we know the ZeroSSL ACME CA endpoint, we can issue ZeroSSL immediately.

Yeah. Since it is possible to specify the issuing email address, the possibility that it can be maintained with Let’s Encrypt is particularly high.
I think Caddy v2 takes this into account well.