Zerossl no longer accepting challenges?

Hello,

Sorry I’m keeping it short. I installed today latest Caddy_v2.8.4 with the config I had used for version Caddy_v2.7.6. I get this error message:

Error: loading initial config: loading new config: loading http app module: provision http: getting tls app: loading tls app module: provision tls: provisioning automation policy 0: loading TLS automation management module: position 1: loading module 'zerossl': decoding module config: tls.issuance.zerossl: json: unknown field 'challenges'

So I ended deleting the entire zerossl below from my config and then caddy was able to start.

"tls": {
      "certificates": {
        "automate": [
          "domain.com",
          "*.domain.com"
        ]
      },
      "automation": {
        "policies": [
          {
            "issuers": [
              {
                "module": "acme",
                "email": "info@email.com",
                "challenges": {
                  "dns": {
                    "provider": {
                      "name": "cloudflare",
                      "api_token": "{env.CLOUDFLARE_API_TOKEN}"
                    }
                  }
                }
              },
              {
                "module": "zerossl",
                "email": "info@email.com",
                "challenges": {
                  "dns": {
                    "provider": {
                      "name": "cloudflare",
                      "api_token": "{env.CLOUDFLARE_API_TOKEN}"
                    }
                  }
                }
              }
            ]
          }
        ]
      }
    }
  }

Is zerossl no longer supported?

Thank you

ZeroSSL is still supported. Changes were made to this issuer in version 2.8.0.

You should use the cname_validation key instead of challenges. This documentation is current: https://caddyserver.com/docs/modules/tls.issuance.zerossl

The change was made here: caddytls: Upgrade ACMEz to v2; support ZeroSSL API; various fixes (#6… · caddyserver/caddy@81413ca · GitHub

The release notes are here: Release v2.8.0 · caddyserver/caddy · GitHub - although they don’t explicitly specify that the challenges key was superseded by cname_validation here.

1 Like

Thank you. The structure has entirely changed. I tried to replace challenges with cname_validation but there are more differences.

so under cname_validation → provider I’m supposed to add cloudflare in my case, which is non-standard and requires caddy-dns (which I have installed)

However caddy dns makes no reference to zerossl. They are still listing the ACME way on their page.

I’m not sure what this means exactly, but, Caddy’s DNS providers are modular - they can be used by the ZeroSSL issuance module just the same as they can be used by the ACME issuance module. Caddy’s DNS providers don’t need to “refer” to the issuer - the issuer refers to the DNS provider.

They may wish to update that. Maybe opening an issue requesting an update might prompt them to provide a new example specifically for ZeroSSL?

The salient parts seem identical - instead of challenges.dns.provider you’ll need to specify cname_validation.provider. The provider here references the same module as it does for the ACME issuer and has the same configuration.

1 Like

Sure, I will open an ‘issue’ on their page.

So you mean it should change from this:

{
                "module": "zerossl",
                "email": "${EMAIL_VC}",
                "challenges": {
                  "dns": {
                    "provider": {
                      "name": "cloudflare",
                      "api_token": "{env.CLOUDFLARE_API_TOKEN}"
                    }
                  }
                }
              }

to this:

              {
                "module": "zerossl",
                "email": "${EMAIL_VC}",
                "cname_validation": {
                    "provider": {
                       "name": "cloudflare",
                       "api_token": "{env.CLOUDFLARE_API_TOKEN}"
                  }
                }
              }

I’m not sure if "name": "cloudflare", is acceptable, the docs seem to suggest only api_token is acceptable.

It does seem that way, yeah.

I should just clarify that it doesn’t need to be CHANGED, though. It’s still accurate for the ACME issuer. But you might want to request an additional example for the separate ZeroSSL API issuer to go alongside the existing example.

1 Like

Are you sure you want to use the zerossl issuer? That’ll use the ZeroSSL API, not ZeroSSL’s ACME endpoint. Using the API requires an API key, as far as I understand. If you use the acme issuer (with ZeroSSL’s ACME URL and your email address) that should work the same as before. You can have two acme issuers configured (where by default it’s Let’s Encrypt unless you change the URL). The release notes explain this:

2 Likes