Certificates being renewed with ZeroSSL instead of Let's Encrypt

1. Output of caddy version:

v2.6.2

2. How I run Caddy:

I’ve been using Caddy as the reverse proxy for a few internally-hosted services. Nothing special, just web front-ends.

a. System environment:

Ubuntu sever 20.04 LTS
No docker. Just plain Ubuntu with Caddy installed.

b. Command:

None - happens automatically from however the automated installer handles the setup.

c. Service/unit/compose file:

none

d. My complete Caddy config:

I don’t feel comfortable putting my domain names on a public forum, so have changed them in the below config.

##------------- Global Settings -------------##
{
        #acme_ca https://acme-staging-v02.api.letsencrypt.org/directory
        email letsencrypt-caddy@example.com
}

##------------- Public External -------------##

#--- Uptime Monitoring ---#

ping.example.net {
        respond 200 {
                close
        }

        header {
                Strict-Transport-Security max-age=31536000;
        }
}

#--- OwnTracks Recorder ---#

location.example.net, location.dyndns.example.org {
        encode gzip
        reverse_proxy http://192.168.1.45:8083
        basicauth * {
                # create new password hashes with `caddy hash-password`
                user1 ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
                user2 ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
                user3 ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
                user4 ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
                user5 ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
        }

        header {
                Strict-Transport-Security max-age=31536000;
        }
}

#--- Gotify ---#

push.example.net {
        reverse_proxy 192.168.1.45:1680

        header {
                Strict-Transport-Security max-age=31536000;
        }
}

#--- Nextcloud ---#

cloud.example.net {
        reverse_proxy 192.168.1.45:1480

        log {
                output file /var/lib/caddy/cloud.access.log {
                        roll_size 5mib
                        roll_keep 10
                        roll_keep_for 168h
                }
                #       format single_field common_log
                format console {
                        time_format wall
                }
        }

        header {
                Permissions-Policy "autoplay=(self), camera=(), fullscreen=(self), geolocation=(), microphone=(), payment=()"
                Strict-Transport-Security "max-age=31536000" # enable HSTS
        }

        redir /.well-known/carddav /remote.php/dav 301
        redir /.well-known/caldav /remote.php/dav 301
}

#--- Jellyfin ---#

jellyfin.example.net {
        reverse_proxy 192.168.1.34:8096

        log {
                output file /var/lib/caddy/jellyfin.access.log {
                        roll_size 5mib
                        roll_keep 10
                        roll_keep_for 168h
                }
                #        format single_field common_log
        }

        header {
                Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
                Content-Security-Policy "upgrade-insecure-requests"
                X-Frame-Options "DENY"
                X-Content-Type-Options "nosniff"
                Referrer-Policy "strict-origin-when-cross-origin"
                Permissions-Policy "autoplay=(self), camera=(), fullscreen=(self), geolocation=(), microphone=(), payment=()"
                Server "No."
                X-Xss-Protection "1; mode=block"
        }
}

3. The problem I’m having:

Up until this past month, the services have worked flawlessly and the certificates renewed without issue. However, this past month I’ve started to receive emails from the “Let’s Encrypt Expiry Bot” stating that my certificates will expire within the month - I know this in relation to my Caddy setup as they are sent to my specific Caddy email address.
When I check on the certificates I can see that they are not due to expire, but have been renewed via ZeroSSL ECC Domain Secure Site CA instead of the usual Let’s Encrypt channel.

I have no idea why this has changed.

4. Error messages and/or full log output:

No error, just email stating "Your certificate (or certificates) for the names listed below will expire in X days "

5. What I already tried:

I was hoping to carry out a “test” renewal to see if I could see where the hiccup is, but I’ve not been able to find out how to do that.

6. Links to relevant resources:

None I can see.

It could just be that Let’s Encrypt had a hiccup or whatever.
Caddy will automatically fall back to whatever ACME provider is configured next.

See “Issuer fallback” in Automatic HTTPS — Caddy Documentation

By default, Caddy enables two ACME-compatible CAs: Let’s Encrypt and ZeroSSL. If Caddy cannot get a certificate from Let’s Encrypt, it will try with ZeroSSL; if both fail, it will backoff and retry again later.


There is currently no guarantee that a domain will always use the same ACME provider.
Though you could configure it to do so :innocent:

It’s a feature, not a bug :sweat_smile:

1 Like

Yep. The logs will reveal cert renewal attempts, including errors, so you can check there to see why it used a different CA. Let’s Encrypt rate limits are a common reason.