ZeroSSL ACME API response deterioration information

If you are using ZeroSSL with Caddy and are having trouble issuing or renewing your certificate, check your ZeroSSL Status.
https://status.zerossl.com/

You can get the official announcement of ZeroSSL:
https://help.zerossl.com/hc/en-us/categories/360004896194-Announcements

Caddy uses Let’s Encrypt by default, so you usually don’t need to worry about this unless you explicitly state the use of ZeroSSL in the Caddyfile.

I’ve made this a Wiki so you can edit this post if you want. Please update the information if necessary.

There was a report on the ZeroSSL GitHub Issue that the certificate renewal timed out.
https://github.com/zerossl/zerossl/issues/9

I checked the ZeroSSL Status and now the ZeroSSL ACME API is down a lot. It looks like this response has been getting worse for a few days.
https://status.zerossl.com/8200003/2021/06

Edit: This issue seems to have been addressed. You can check the latest server status from the link above.

I received an announcement from ZeroSSL. If you are using ZeroSSL with Caddy, you will need to take action at the Caddy or user level. This will be done in the GitHub Issue.

That’s not true – Caddy will handle revoked certificates via OCSP, and automatically request a new one. See the discussion in ZeroSSL certificate must be forcibly reissued · Issue #4191 · caddyserver/caddy · GitHub

No user action is required if your certificates are revoked. Caddy replaces them automatically.

From the ZeroSSL website, ZeroSSL will be maintained for 6 hours after this.
Even if there are reports of troubles that cannot be issued, it is a problem on the ZeroSSL side.
Perhaps this maintenance will change some certificates.

Workaround in Firefox. Chrome and Edge (Chromium based) also work with revocation certificates.

(Edit: June 12, 2021 (Japanese Time: June 13 morning))

Some ZeroSSL were revoked on June 11, 2021.
We have already seen the related posts.

However, Firefox is mainly affected. Chrome also delays sending a revoked certificate error.
Edge (Chromium based) are not affected by this.
It may not have been noticed by you for a while.
Supports revoked certificate renewal in Caddy v2.4.2.
But their Caddy developers haven’t been able to test these.

• https://github.com/caddyserver/caddy/releases/tag/v2.4.2

If you need to renew your certificate now
If your Caddy has few admin domains, manually delete the certificate directory and restart Caddy.

• https://caddy.community/t/sec-error-revoked-certificate-in-firefox/12750/3
• https://caddy.community/t/zerossl-acme-api-response-deterioration-information/12670/7

If your Caddy has a lot of admin domains, apply the batch module to Caddy:

• https://github.com/caddyserver/caddy/issues/4191#issuecomment-859739813

As I have already commented, There is a way around the reference issue in Firefox