What's the difference between the acme and zerossl modules?

Help
1

Could you help me understand the difference between the acme and zerossl modules please, and why by default it creates both.

With a single route defined if I run

caddy adapt

I see that in the automation.policies.issuers it creates two entries, one with the ‘acme’ module and one with the ‘zerossl’ module. I’m not clear on how these differ given they both take ‘ca’ parameters. I assume this isn’t related to actually serving zerossl certs? The descriptions seem pretty similar:

ACME

manages certificates using the ACME protocol (RFC 8555).

ZEROSSL

makes an ACME manager for managing certificates using ACME.

"automation": {
        "policies": [
          {
            "issuers": [
              {
                "ca": "https://acme-staging-v02.api.letsencrypt.org/directory",
                "challenges": {
                  "dns": {
                    "override_domain": "___",
                    "provider": {
                      "aws_profile": "default", 
                      "max_retries": 1,
                      "name": "route53"
                    }
                  }
                },
                "module": "acme"
              },
              {
                "ca": "https://acme-staging-v02.api.letsencrypt.org/directory",
                "challenges": {
                  "dns": {
                    "override_domain": "___",
                    "provider": {
                      "aws_profile": "default",
                      "max_retries": 1,
                      "name": "route53"
                    }
                  }
                },
                "module": "zerossl"
              }
            ]
2

The ZeroSSL issuer generates and uses EAB (External Account Binding) credentials for you so that you can use ZeroSSL. The vanilla ACME issuer defaults to Let’s Encrypt which does not require EAB.

With EAB you are able to log into ZeroSSL and view/manage your ACME domains in your dashboard.

Please set your real email address in your config! :slight_smile:

You can actually configure the acme issuer manually to use your ZeroSSL EAB credentials. But that requires some manual steps, because on its own, the ACME issuer doesn’t know about ZeroSSL or how to get its EAB. EAB is vendor-specific.

So with its own issuer, Caddy can use ZeroSSL automatically and by default.

Note that the actual implementation of the ZeroSSL issuer is literally a thin wrapper over the ACME issuer; the only unique logic is around EAB:

https://pkg.go.dev/github.com/caddyserver/caddy/v2/modules/caddytls#ZeroSSLIssuer

The godoc could be better for this type, I admit.

3

This topic was automatically closed after 30 days. New replies are no longer allowed.