Is there a way for Caddy to just download existing certificates from ZeroSSL?

This is more like a general question if it is possible at all – is there a way to use an existing certificate stored at ZeroSSL if I provide the API key for the ZeroSSL issuer?

The ZeroSSL API clearly gives an option for that (it has commmands for listing certificates – should be easy to match if the hostname of the site matches the CN of the cert; it also has a command to actually download the certificate files), however, Caddy always tries to obtain a new certificate.

Since the server I’d be using Caddy at is on an AWS EC2 instance (so to add a certificate it’s nontrivial), and I don’t want to change the setup to open port 80 just for the dns-01 challenge, and I’m perfectly fine with creating new certificates using the email verification (DNS cannot work as my provider is not supported), I would just want Caddy to use the existing ZeroSSL account to fetch the certificates.

Is this possible with using the stock image for debian/ubuntu?

No. Currently caddy can use acme to automatically enable ssl or use external certificates explicitly. You can write a simple http server to retrieve zerossl certificates and use tls certificate managers to point at your own endpoints though.

Caddy can’t retrieve existing zerossl certificates out of box, you have to do some extra work.

1 Like

Thanks. I was hoping… Well, back to the old ways then. :slight_smile:

Weidi is right; although we could add support for this in our ZeroSSLIssuer. It’s just not a common use case…

i think the more logical approach would be to add this as a get_certificate provider, like get_certificate zerossl <api_key>. wdyt?

If ZeroSSL is managing the cert and keeping it renewed, then sure. That could work. Might want to implement some local caching, though, to mitigate latency with the API.