Documentation states LetsEncrypt and fallback to ZeroSSL “by default” but how would I go about to configure let’s say: BuyPass, then ZeroSSL and then LE for fallback?
Also, it seems whenever you select the issuers/cert_issuer, you have to specify an API key for ZeroSSL but not when you specify the acme_ca as an URL, which seems to be a tad counter intuitive.
The many linked resources should help you out, including the syntax for configuring issuers (I assume you’re using the Caddyfile; if not, you can find similar help in our JSON structure docs).
Something like this:
tls {
issuer acme {
dir https://api.buypass.com/acme/directory
}
issuer zerossl # could alternatively use "issuer acme ..." with ZeroSSL directory endpoint
issuer acme # current default is LE; hard-code dir endpoint to force that
}
In an upcoming patch release (probably) you’ll be able to roll that first one into a single line: issuer acme https://api.buypass.com/acme/directory.
That’s what I thought, but I got tripped up with a deploy script that kept forcing 2.2.1 behind my back on me when I thought (and checked initially) I had 2.3.0 installed. The APIkey is needed for cert_issuer zerossl on 2.2.1 but not in 2.3.0!
So this below would be “forcing” the order as it is/was defined, correct? Was not that clear for me in the documentation, even though I went through the linked references before I posted and asked.
Perhaps adding a “priority” field might make it more clearer, especially for cases like: “first try this issuer, then load balancer/round-robin these and last case try this issuer”.