Using ZeroSSL's ACME endpoint

ZeroSSL is an ACME-compatible certificate authority alternative to Let’s Encrypt.

ZeroSSL’s ACME endpoint is already compatible with Caddy because it implements RFC 8555. But Caddy 2.2 has more convenient support for ZeroSSL because it will automatically generate the necessary External Account Binding (EAB) credentials for you.

As of Caddy 2.2, there are several ways to use ZeroSSL. I’ll demonstrate the Caddyfile config, but you can use caddy adapt to get the equivalent JSON.

Using global options

The easiest way is to specify the ZeroSSL ACME directory endpoint along with your email address at the top of your Caddyfile (no account required):

{
    acme_ca https://acme.zerossl.com/v2/DV90
    email   you@yours.com
}

You can also configure the zerossl issuer explicitly with your ZeroSSL account’s API key:

{
    cert_issuer zerossl <api_key>
}

If you manually generated EAB credentials from your account:

Then you can specify them directly (this also works with Caddy 2.1):

{
    acme_eab {
        key_id  <key_id>
        mac_key <mac_key>
    }
}

Note that EAB is always required with ZeroSSL, but you do not have to manually generate the EAB credentials; Caddy 2.2 can do that for you using the first two configurations.

Using the tls directive

If you want to use ZeroSSL for only some of your sites, you can use the tls directive like you’re used to:

tls you@yours.com {
    ca https://acme.zerossl.com/v2/DV90
}

or, with an API key:

tls {
    issuer zerossl <api_key>
}

Or, with manually-generated EAB credentials:

tls {
   ca  https://acme.zerossl.com/v2/DV90
   eab <key_id> <mac_key>
}
2 Likes

A post was split to a new topic: JSON equivalent of cert_issuer global option