ZeroSSL is an ACME-compatible certificate authority alternative to Let’s Encrypt.
ZeroSSL’s ACME endpoint is already compatible with Caddy because it implements RFC 8555. But Caddy 2.2 has more convenient support for ZeroSSL because it will automatically generate the necessary External Account Binding (EAB) credentials for you.
As of Caddy 2.2, there are several ways to use ZeroSSL. I’ll demonstrate the Caddyfile config, but you can use caddy adapt
to get the equivalent JSON.
Using global options
The easiest way is to specify the ZeroSSL ACME directory endpoint along with your email address at the top of your Caddyfile (no account required):
{
acme_ca https://acme.zerossl.com/v2/DV90
email you@yours.com
}
You can also configure the zerossl
issuer explicitly with your ZeroSSL account’s API key:
{
cert_issuer zerossl <api_key>
}
If you manually generated EAB credentials from your account:
Then you can specify them directly (this also works with Caddy 2.1):
{
acme_ca https://acme.zerossl.com/v2/DV90
acme_eab {
key_id <key_id>
mac_key <mac_key>
}
}
Note that EAB is always required with ZeroSSL, but you do not have to manually generate the EAB credentials; Caddy 2.2 can do that for you using the first two configurations.
Using the tls
directive
If you want to use ZeroSSL for only some of your sites, you can use the tls
directive like you’re used to:
tls you@yours.com {
ca https://acme.zerossl.com/v2/DV90
}
or, with an API key:
tls {
issuer zerossl <api_key>
}
Or, with manually-generated EAB credentials:
tls {
ca https://acme.zerossl.com/v2/DV90
eab <key_id> <mac_key>
}