Let's Encrypt is an amazing organisation doing an amazing thing by providing certificates at scale, for free. The problem though was that they were the only such organisation for a long time, but I'm glad to say that the ecosystem is changing.
It's always a good idea to have another option
Back in Jan 2019 I wrote about Having a backup CA for Let's Encrypt and showed how easy it was to take a variety of ACME based tools that used Let's Encrypt as a default provider and point them at Buypass, another independent CA offering certificates for free. They provide the same 90 day certificates as Let's Encrypt and it was a simple as changing the API address from
https://api.buypass.com/acme/directory. Today, I'm glad to say that another CA is entering the mix in offering free, 90 day certificates via an ACME compliant API that is just as easy to use.
ZeroSSL offering free certs via ACME
ZeroSSL.com is now joining the (sadly) very small group of awesome CAs giving away free, 90-day certs via ACME.
One of the tools that I use, acme.sh, already has support for issuing certs from ZeroSSL so it was super easy to get started using them.
acme.sh --register-account -m email@example.com --server zerossl
Now you're ready to issue a certificate!
acme.sh --issue --dns dns_cf -d zerossltest.scotthelme.co.uk --server zerossl
That's it! Here's the certificate I got:
-----BEGIN CERTIFICATE----- MIIGhzCCBG+gAwIBAgIRAJsdx4P1ig30SBJEbepvVQ8wDQYJKoZIhvcNAQEMBQAw SzELMAkGA1UEBhMCQVQxEDAOBgNVBAoTB1plcm9TU0wxKjAoBgNVBAMTIVplcm9T U0wgUlNBIERvbWFpbiBTZWN1cmUgU2l0ZSBDQTAeFw0yMDExMTIwMDAwMDBaFw0y MTAyMTAyMzU5NTlaMCcxJTAjBgNVBAMTHHplcm9zc2x0ZXN0LnNjb3R0aGVsbWUu Y28udWswggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCuO3ptw7oBfoLv AAbd9S1TtwJEs6iLB44WPUJwyqXcDxd/nwK40lSdi3vQrpG6fwnDH0ydykbfOPEa LB5S/rFQhJdeL6FY4Q57sv1kEP6gxuFOqj6/GVv4xxYlLr9HajF8QpxyEwqQ52vy u9Kd9Nz4rvIo10X3852bo3TPPQ5jyenluJvzbpHpTHEtj7k7GT26eBY9qH82oZQR KsvQEwe7CQBCuG86VSs57fbuCdFwCCN/EeAes4tj9XGssyxFLEzFFN0AzuiMVLdY VqPoXtyJ+mzclpJvajEmG1SiCCLOWfDQPAIglSeVYzLeHVTc/ZEK1xAluvhEUQu5 5DraCkdHAgMBAAGjggKIMIIChDAfBgNVHSMEGDAWgBTI2XhootkZaNU9ct5fCj7c tYaGpjAdBgNVHQ4EFgQU7JoL25qTDuyZG5eHePqyq01ol6EwDgYDVR0PAQH/BAQD AgWgMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMC MEkGA1UdIARCMEAwNAYLKwYBBAGyMQECAk4wJTAjBggrBgEFBQcCARYXaHR0cHM6 Ly9zZWN0aWdvLmNvbS9DUFMwCAYGZ4EMAQIBMIGIBggrBgEFBQcBAQR8MHowSwYI KwYBBQUHMAKGP2h0dHA6Ly96ZXJvc3NsLmNydC5zZWN0aWdvLmNvbS9aZXJvU1NM UlNBRG9tYWluU2VjdXJlU2l0ZUNBLmNydDArBggrBgEFBQcwAYYfaHR0cDovL3pl cm9zc2wub2NzcC5zZWN0aWdvLmNvbTCCAQQGCisGAQQB1nkCBAIEgfUEgfIA8AB2 AH0+8viP/4hVaCTCwMqeUol5K8UOeAl/LmqXaJl+IvDXAAABdbycM1MAAAQDAEcw RQIhALExVBEl9FWZg3JRrYZqu+3QrBoJGyPhVmDbHN+hibrwAiBTlyM1M311Nqkt vid0KOju94nheSk2WmpQO9ZAXAp3tgB2AJQgvB6O1Y1siHMfgosiLA3R2k1ebE+U PWHbTi9YTaLCAAABdbycM30AAAQDAEcwRQIhANDVMm/VZgHojBEiRY5GRyzRL+JE wVH6p6Sv8TKTfQIDAiBcbgJ2U/R3mPTgpZgqulJVQYflrkOJeea4Rxqbijr3zjAn BgNVHREEIDAeghx6ZXJvc3NsdGVzdC5zY290dGhlbG1lLmNvLnVrMA0GCSqGSIb3 DQEBDAUAA4ICAQAEJWvtrlW+ceRkXRY4FSCj3ekNYPZmV3IGdr5vJ0o5FrWu7LCy nOqxVtHHRDCAaiqOI2h+8zUdPtpnOibnYRdgD+jC3PxpCCxv2sKmqRP4HsQvjwvw OtB+oWjE3xRxTQ4ncz8/Rg2bNtC0t5FbCSgNihNpMuPz5ro40EGW7OWp3OdfeUvW dKM9WlNgLFwsKNDRHzpPLcF4rG/SNCfVo5GjMqNYIZEgcUTY3nxxsZuV5ygrvFtD xi0wfLpoT1ePyIoSmHzAQZ9Bk2pN9Lm6jW9/brKf8+HDKSQSV6vbJl8I4Jarql0j EhpXTnKtIxWf/05KBAJXlR1/tiliRL4ZZWTZ/yBNHd0TvMDbtxjp7vyP5xLtLUXi ksg/pJwXbjpvRr8coSzmR1sR8Dk3hUr2aeIcHRwGM4vR3HlXdXqoNE5ds1xQDeyT HL5O4b1YOFyyxKAwA2SbktMu7Xw/GMOnyeeeuaIE4KnSb02n004HEP4DHnoRvl3o Eurh7I2h/u9n5jN1trlPgsN64Q2gQ2ljsnfs/7dJwxw36a3R9uD7QmQPJ7esct55 AVD1SnYZgRIfdCKQW+qgTt7Lw3grzfJHjppfcdBdgy/2eqKBv6wpuWXLvy66EoQ0 ystq4I8GWhfK/UVkcbQx9+MbMDYvRr1CUNoZeoNjynAcR2qI22T/Vx5A7w== -----END CERTIFICATE-----
As I said before, Let's Encrypt are an awesome organisation doing an awesome thing and that's reflected in the sheer number of people using them. Having more CAs support ACME in this way is not about stopping using Let's Encrypt, it's about having more diversity in the ecosystem and making it more reliable. Let's Encrypt could have a busy day, they could have some downtime, or heck, in some disaster scenario, maybe they could cease operations! No matter what happens, and even if it never happens, I think it's always best to have options, and this is what ZeroSSL and Buypass now provide. It gives me more confidence to be able move infrastructure to depend on acquiring certificates via these mechanisms when there is no longer a single point of failure. Also consider just how easy it is to switch CA, which can be a nightmare task and if you've ever had to do it before you'll know what I mean. Providing certificates via ACME does not mean giving away free certificates either, you can still pay for them so other CAs really have no reason to not do this and I look forward to more CAs offering ACME endpoints in the future.
Update: The CAA value for this CA is