Caddy was posted on the ZeroSSL website

I noticed that a new free certificate project called ZeroSSL has started working:
https://zerossl.com/

ZeroSSL was one of the sites that can issue Let’s Encrypt on the web,
Recently became my own CA. Highly certified by Sectigo.

Caddy is displayed in the list of ACME Automation on this page:
https://zerossl.com/features/acme/

Perhaps we haven’t got a way to issue ZeroSSL with Caddy yet,
but that will be revealed later by ZeroSSL.
Perhaps we could consider adding related Caddy features.

1 Like

It looks like they limit you to 3 free certificates. I don’t understand why anyone would choose this over LE.

1 Like

Yes. I’ve already seen some sites with the same criticism. Many will keep Let’s Encrypt.
Or will this be avoided if issued by a third party, including Caddy?

For now, anyone who wants to choose ZeroSSL will be using a freely provided subdomain.
For example: https://freedns.afraid.org/
Some of them are suffering from Let’s Encrypt rate limiting.

Yeah that’s cool. It’s really good to have multiple ACME CAs, with some feature diversity. ZeroSSL offers things that Let’s Encrypt doesn’t, like longer-lived certs (which is appealing to businesses, despite the anti-pattern), monitoring, and probably higher rate limits and such.

3 Likes

For example, if Caddy notices that there is a Let’s Encrypt rate limit on a domain, it may want to issue it with ZeroSSL.
It would be ideal to be able to select Let’s Encrypt and ZeroSSL certificates by domain, in case the user knows that in advance.

There are still some who are choosing paid certificates.
Let’s Encrypt is good enough for many people (especially web developers),
but there are many who are happy with ZeroSSL.

This is 100% supported! Per site:

https://caddyserver.com/docs/caddyfile/directives/tls

Or as a global default:

  • acme_ca specifies the URL to the ACME CA’s directory. It is strongly recommended to set this to Let’s Encrypt’s staging endpoint for testing or development. Default: Let’s Encrypt’s production endpoint.

https://caddyserver.com/docs/caddyfile/options

2 Likes

Currently Caddy v2 (via CertMagic) switches to the LE staging endpoint if an error is hit, so hitting rate limits should be very rare if not impossible (as long as you have Caddy’s storage directory persisted, and as long as you don’t have multiple Caddy instances running that fetch certs for the same domains, and that are not sharing the same storage).

2 Likes

Wow! Great!! :smile:
if we know the ZeroSSL ACME CA endpoint, we can issue ZeroSSL immediately.

Yeah. Since it is possible to specify the issuing email address, the possibility that it can be maintained with Let’s Encrypt is particularly high.
I think Caddy v2 takes this into account well.

Has anyone actually been able to find the ZeroSSL ACME endpoint? It was supposed to have launched in May but there’s absolutely no trace of the actual endpoint URL.

I figure you need to sign up for an account to get access to it, because they have pretty stringent limits on their free plan.

It is being finished. I don’t know the completion date but it’s in progress. :slight_smile: I just know the delay is necessary to ensure full ACME spec compliance which is really important; they are working to get it right.

1 Like

ACME Server URL

In order to use the ACME protocol with ZeroSSL, this is the server URL to connect to:

https://acme.zerossl.com/v2/DV90

Connect via API Access Key

If you are using one of our Partner ACME Clients (e.g., Caddy), you will be able to connect to the ACME client using your ZeroSSL API access key. Your key can be found in the Developer section of your ZeroSSL management console.

https://zerossl.com/documentation/acme/

2 Likes

@danb35 This looks interesting.

Can confirm, I was able to get a ZeroSSL cert with Caddy (using an RSA key - I’m told ECC will be supported soon) this week. Worked like a charm.

2 Likes

Just tried 5 minutes ago. What should the Caddyfile directive look like?

I’m getting this…

urn:ietf:params:acme:error:malformed

and this…

urn:ietf:params:acme:error:unauthorized :: Invalid ACME server URL

…depending how I append the api key in a Caddyfile like this:

{$FORUM_3_URL} {
    reverse_proxy unix//sock/{$HOST_3}/nginx.http.sock
    tls {
        dns cloudflare {$CLOUDFLARE_API_TOKEN}
        ca https://acme.zerossl.com/v2/DV90?access_key=aaaaaaaabbbbbbbbbbbbbb
    }
}

The directory endpoint is what they provide in their docs. Then you just need to use EAB for now; Caddy will eventually have support for the ZeroSSL API key, but not quite yet.

This was my test Caddyfile:

{
    key_type rsa2048 # only needed temporarily
}

example.com

tls {
    ca  https://acme.zerossl.com/v2/DV90
    eab my_key_id my_mac_key
}

Edit: I’m not actually sure if the eab subdirective has been pushed yet – but it is a global option too: acme_eab (undocumented because I’m forgetful)

1 Like

The one time I actually went to the docs first! :laughing:

Not particularly to me; the bait-and-switch they pulled left a bad taste in my mouth. But it’s good to have options, I guess.

After 4 months, we are pleased that Caddy 2.2 is full support with ZeroSSL :smile: :

This wiki is useful if you use ZeroSSL: