Zerossl no longer accepting challenges?

houmie · July 2, 2024, 2:43pm

Hello,

Sorry I’m keeping it short. I installed today latest Caddy_v2.8.4 with the config I had used for version Caddy_v2.7.6. I get this error message:

Error: loading initial config: loading new config: loading http app module: provision http: getting tls app: loading tls app module: provision tls: provisioning automation policy 0: loading TLS automation management module: position 1: loading module 'zerossl': decoding module config: tls.issuance.zerossl: json: unknown field 'challenges'

So I ended deleting the entire zerossl below from my config and then caddy was able to start.

"tls": {
      "certificates": {
        "automate": [
          "domain.com",
          "*.domain.com"
        ]
      },
      "automation": {
        "policies": [
          {
            "issuers": [
              {
                "module": "acme",
                "email": "info@email.com",
                "challenges": {
                  "dns": {
                    "provider": {
                      "name": "cloudflare",
                      "api_token": "{env.CLOUDFLARE_API_TOKEN}"
                    }
                  }
                }
              },
              {
                "module": "zerossl",
                "email": "info@email.com",
                "challenges": {
                  "dns": {
                    "provider": {
                      "name": "cloudflare",
                      "api_token": "{env.CLOUDFLARE_API_TOKEN}"
                    }
                  }
                }
              }
            ]
          }
        ]
      }
    }
  }

Is zerossl no longer supported?

Thank you

Whitestrake · July 3, 2024, 4:58am

ZeroSSL is still supported. Changes were made to this issuer in version 2.8.0.

You should use the cname_validation key instead of challenges. This documentation is current: https://caddyserver.com/docs/modules/tls.issuance.zerossl

The change was made here: caddytls: Upgrade ACMEz to v2; support ZeroSSL API; various fixes (#6… · caddyserver/caddy@81413ca · GitHub

The release notes are here: Release v2.8.0 · caddyserver/caddy · GitHub - although they don’t explicitly specify that the challenges key was superseded by cname_validation here.

houmie · July 3, 2024, 7:19am

Thank you. The structure has entirely changed. I tried to replace challenges with cname_validation but there are more differences.

so under cname_validation → provider I’m supposed to add cloudflare in my case, which is non-standard and requires caddy-dns (which I have installed)

However caddy dns makes no reference to zerossl. They are still listing the ACME way on their page.

Whitestrake · July 3, 2024, 8:23am

I’m not sure what this means exactly, but, Caddy’s DNS providers are modular - they can be used by the ZeroSSL issuance module just the same as they can be used by the ACME issuance module. Caddy’s DNS providers don’t need to “refer” to the issuer - the issuer refers to the DNS provider.

They may wish to update that. Maybe opening an issue requesting an update might prompt them to provide a new example specifically for ZeroSSL?

The salient parts seem identical - instead of challenges.dns.provider you’ll need to specify cname_validation.provider. The provider here references the same module as it does for the ACME issuer and has the same configuration.

houmie · July 3, 2024, 9:07am

Sure, I will open an ‘issue’ on their page.

So you mean it should change from this:

{
                "module": "zerossl",
                "email": "${EMAIL_VC}",
                "challenges": {
                  "dns": {
                    "provider": {
                      "name": "cloudflare",
                      "api_token": "{env.CLOUDFLARE_API_TOKEN}"
                    }
                  }
                }
              }

to this:

              {
                "module": "zerossl",
                "email": "${EMAIL_VC}",
                "cname_validation": {
                    "provider": {
                       "name": "cloudflare",
                       "api_token": "{env.CLOUDFLARE_API_TOKEN}"
                  }
                }
              }

I’m not sure if "name": "cloudflare", is acceptable, the docs seem to suggest only api_token is acceptable.

Whitestrake · July 3, 2024, 9:12am

It does seem that way, yeah.

I should just clarify that it doesn’t need to be CHANGED, though. It’s still accurate for the ACME issuer. But you might want to request an additional example for the separate ZeroSSL API issuer to go alongside the existing example.

francislavoie · July 6, 2024, 5:37am

Are you sure you want to use the zerossl issuer? That’ll use the ZeroSSL API, not ZeroSSL’s ACME endpoint. Using the API requires an API key, as far as I understand. If you use the acme issuer (with ZeroSSL’s ACME URL and your email address) that should work the same as before. You can have two acme issuers configured (where by default it’s Let’s Encrypt unless you change the URL). The release notes explain this:

If you use JSON to configure certificate automation policies, you will need to ensure you use the acme issuer with your email filled out, and the ca field set to ZeroSSL’s ACME server URL. If you want redundancy with Let’s Encrypt, be sure to specify another acme issuer as well (defaults OK, but we recommend setting an email there too).

system · August 5, 2024, 5:37am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.