I noticed that a new free certificate project called ZeroSSL has started working:
ZeroSSL was one of the sites that can issue Let’s Encrypt on the web,
Recently became my own CA. Highly certified by Sectigo.
Caddy is displayed in the list of ACME Automation on this page:
Perhaps we haven’t got a way to issue ZeroSSL with Caddy yet,
but that will be revealed later by ZeroSSL.
Perhaps we could consider adding related Caddy features.
Yes. I’ve already seen some sites with the same criticism. Many will keep Let’s Encrypt.
Or will this be avoided if issued by a third party, including Caddy?
For now, anyone who wants to choose ZeroSSL will be using a freely provided subdomain.
For example: https://freedns.afraid.org/
Some of them are suffering from Let’s Encrypt rate limiting.
Yeah that’s cool. It’s really good to have multiple ACME CAs, with some feature diversity. ZeroSSL offers things that Let’s Encrypt doesn’t, like longer-lived certs (which is appealing to businesses, despite the anti-pattern), monitoring, and probably higher rate limits and such.
For example, if Caddy notices that there is a Let’s Encrypt rate limit on a domain, it may want to issue it with ZeroSSL.
It would be ideal to be able to select Let’s Encrypt and ZeroSSL certificates by domain, in case the user knows that in advance.
There are still some who are choosing paid certificates.
Let’s Encrypt is good enough for many people (especially web developers),
but there are many who are happy with ZeroSSL.
ca changes the ACME CA endpoint. This is most often used to use Let’s Encrypt’s staging endpoint or an internal ACME server. (To change this value for the whole Caddyfile, use the acme_caglobal option instead.)
acme_ca specifies the URL to the ACME CA’s directory. It is strongly recommended to set this to Let’s Encrypt’s staging endpoint for testing or development. Default: Let’s Encrypt’s production endpoint.
Currently Caddy v2 (via CertMagic) switches to the LE staging endpoint if an error is hit, so hitting rate limits should be very rare if not impossible (as long as you have Caddy’s storage directory persisted, and as long as you don’t have multiple Caddy instances running that fetch certs for the same domains, and that are not sharing the same storage).
Wow! Great!!
if we know the ZeroSSL ACME CA endpoint, we can issue ZeroSSL immediately.
Yeah. Since it is possible to specify the issuing email address, the possibility that it can be maintained with Let’s Encrypt is particularly high.
I think Caddy v2 takes this into account well.
Has anyone actually been able to find the ZeroSSL ACME endpoint? It was supposed to have launched in May but there’s absolutely no trace of the actual endpoint URL.
It is being finished. I don’t know the completion date but it’s in progress. I just know the delay is necessary to ensure full ACME spec compliance which is really important; they are working to get it right.
In order to use the ACME protocol with ZeroSSL, this is the server URL to connect to:
https://acme.zerossl.com/v2/DV90
Connect via API Access Key
If you are using one of our Partner ACME Clients (e.g., Caddy), you will be able to connect to the ACME client using your ZeroSSL API access key. Your key can be found in the Developer section of your ZeroSSL management console.
The directory endpoint is what they provide in their docs. Then you just need to use EAB for now; Caddy will eventually have support for the ZeroSSL API key, but not quite yet.
This was my test Caddyfile:
{
key_type rsa2048 # only needed temporarily
}
example.com
tls {
ca https://acme.zerossl.com/v2/DV90
eab my_key_id my_mac_key
}
Edit: I’m not actually sure if the eab subdirective has been pushed yet – but it is a global option too: acme_eab (undocumented because I’m forgetful)