Let's Encrypt is an amazing organisation doing an amazing thing by providing certificates at scale, for free. The problem though was that they were the only such organisation for a long time, but I'm glad to say that the ecosystem is changing.

It's always a good idea to have another option

Back in Jan 2019 I wrote about Having a backup CA for Let's Encrypt and showed how easy it was to take a variety of ACME based tools that used Let's Encrypt as a default provider and point them at Buypass, another independent CA offering certificates for free. They provide the same 90 day certificates as Let's Encrypt and it was a simple as changing the API address from https://acme-v02.api.letsencrypt.org/directory to https://api.buypass.com/acme/directory. Today, I'm glad to say that another CA is entering the mix in offering free, 90 day certificates via an ACME compliant API that is just as easy to use.

ZeroSSL offering free certs via ACME

ZeroSSL.com is now joining the (sadly) very small group of awesome CAs giving away free, 90-day certs via ACME.

One of the tools that I use, acme.sh, already has support for issuing certs from ZeroSSL so it was super easy to get started using them.

acme.sh --register-account -m foo@bar.com --server zerossl

Now you're ready to issue a certificate!

acme.sh --issue --dns dns_cf -d zerossltest.scotthelme.co.uk --server zerossl

That's it! Here's the certificate I got:

-----BEGIN CERTIFICATE-----
MIIGhzCCBG+gAwIBAgIRAJsdx4P1ig30SBJEbepvVQ8wDQYJKoZIhvcNAQEMBQAw
SzELMAkGA1UEBhMCQVQxEDAOBgNVBAoTB1plcm9TU0wxKjAoBgNVBAMTIVplcm9T
U0wgUlNBIERvbWFpbiBTZWN1cmUgU2l0ZSBDQTAeFw0yMDExMTIwMDAwMDBaFw0y
MTAyMTAyMzU5NTlaMCcxJTAjBgNVBAMTHHplcm9zc2x0ZXN0LnNjb3R0aGVsbWUu
Y28udWswggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCuO3ptw7oBfoLv
AAbd9S1TtwJEs6iLB44WPUJwyqXcDxd/nwK40lSdi3vQrpG6fwnDH0ydykbfOPEa
LB5S/rFQhJdeL6FY4Q57sv1kEP6gxuFOqj6/GVv4xxYlLr9HajF8QpxyEwqQ52vy
u9Kd9Nz4rvIo10X3852bo3TPPQ5jyenluJvzbpHpTHEtj7k7GT26eBY9qH82oZQR
KsvQEwe7CQBCuG86VSs57fbuCdFwCCN/EeAes4tj9XGssyxFLEzFFN0AzuiMVLdY
VqPoXtyJ+mzclpJvajEmG1SiCCLOWfDQPAIglSeVYzLeHVTc/ZEK1xAluvhEUQu5
5DraCkdHAgMBAAGjggKIMIIChDAfBgNVHSMEGDAWgBTI2XhootkZaNU9ct5fCj7c
tYaGpjAdBgNVHQ4EFgQU7JoL25qTDuyZG5eHePqyq01ol6EwDgYDVR0PAQH/BAQD
AgWgMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMC
MEkGA1UdIARCMEAwNAYLKwYBBAGyMQECAk4wJTAjBggrBgEFBQcCARYXaHR0cHM6
Ly9zZWN0aWdvLmNvbS9DUFMwCAYGZ4EMAQIBMIGIBggrBgEFBQcBAQR8MHowSwYI
KwYBBQUHMAKGP2h0dHA6Ly96ZXJvc3NsLmNydC5zZWN0aWdvLmNvbS9aZXJvU1NM
UlNBRG9tYWluU2VjdXJlU2l0ZUNBLmNydDArBggrBgEFBQcwAYYfaHR0cDovL3pl
cm9zc2wub2NzcC5zZWN0aWdvLmNvbTCCAQQGCisGAQQB1nkCBAIEgfUEgfIA8AB2
AH0+8viP/4hVaCTCwMqeUol5K8UOeAl/LmqXaJl+IvDXAAABdbycM1MAAAQDAEcw
RQIhALExVBEl9FWZg3JRrYZqu+3QrBoJGyPhVmDbHN+hibrwAiBTlyM1M311Nqkt
vid0KOju94nheSk2WmpQO9ZAXAp3tgB2AJQgvB6O1Y1siHMfgosiLA3R2k1ebE+U
PWHbTi9YTaLCAAABdbycM30AAAQDAEcwRQIhANDVMm/VZgHojBEiRY5GRyzRL+JE
wVH6p6Sv8TKTfQIDAiBcbgJ2U/R3mPTgpZgqulJVQYflrkOJeea4Rxqbijr3zjAn
BgNVHREEIDAeghx6ZXJvc3NsdGVzdC5zY290dGhlbG1lLmNvLnVrMA0GCSqGSIb3
DQEBDAUAA4ICAQAEJWvtrlW+ceRkXRY4FSCj3ekNYPZmV3IGdr5vJ0o5FrWu7LCy
nOqxVtHHRDCAaiqOI2h+8zUdPtpnOibnYRdgD+jC3PxpCCxv2sKmqRP4HsQvjwvw
OtB+oWjE3xRxTQ4ncz8/Rg2bNtC0t5FbCSgNihNpMuPz5ro40EGW7OWp3OdfeUvW
dKM9WlNgLFwsKNDRHzpPLcF4rG/SNCfVo5GjMqNYIZEgcUTY3nxxsZuV5ygrvFtD
xi0wfLpoT1ePyIoSmHzAQZ9Bk2pN9Lm6jW9/brKf8+HDKSQSV6vbJl8I4Jarql0j
EhpXTnKtIxWf/05KBAJXlR1/tiliRL4ZZWTZ/yBNHd0TvMDbtxjp7vyP5xLtLUXi
ksg/pJwXbjpvRr8coSzmR1sR8Dk3hUr2aeIcHRwGM4vR3HlXdXqoNE5ds1xQDeyT
HL5O4b1YOFyyxKAwA2SbktMu7Xw/GMOnyeeeuaIE4KnSb02n004HEP4DHnoRvl3o
Eurh7I2h/u9n5jN1trlPgsN64Q2gQ2ljsnfs/7dJwxw36a3R9uD7QmQPJ7esct55
AVD1SnYZgRIfdCKQW+qgTt7Lw3grzfJHjppfcdBdgy/2eqKBv6wpuWXLvy66EoQ0
ystq4I8GWhfK/UVkcbQx9+MbMDYvRr1CUNoZeoNjynAcR2qI22T/Vx5A7w==
-----END CERTIFICATE-----

crt.sh link

Continuing growth

As I said before, Let's Encrypt are an awesome organisation doing an awesome thing and that's reflected in the sheer number of people using them. Having more CAs support ACME in this way is not about stopping using Let's Encrypt, it's about having more diversity in the ecosystem and making it more reliable. Let's Encrypt could have a busy day, they could have some downtime, or heck, in some disaster scenario, maybe they could cease operations! No matter what happens, and even if it never happens, I think it's always best to have options, and this is what ZeroSSL and Buypass now provide. It gives me more confidence to be able move infrastructure to depend on acquiring certificates via these mechanisms when there is no longer a single point of failure. Also consider just how easy it is to switch CA, which can be a nightmare task and if you've ever had to do it before you'll know what I mean. Providing certificates via ACME does not mean giving away free certificates either, you can still pay for them so other CAs really have no reason to not do this and I look forward to more CAs offering ACME endpoints in the future.

Update: The CAA value for this CA is sectigo.com.