acme.sh is and will be after the change an excellent acme client so in my case, if nothing wrong happens, I'll keep recommending it. I see no need to modify the acme clients list while acme.sh supports Let's Encrypt and the doc is clear about how to use it.
As far as I know (but correct me if I'm wrong please), all clients on the clients list will use Let's Encrypt by default. If acme.sh is the odd man out, I think that warrants a warning. Just something like: "Note: this client does not use the Let's Encrypt ACME server by default. Please see the documentation on how to change the ACME server used to correctly configure it for use with Let's Encrypt."
Getting started with acme.sh Let’s Encrypt SSL client
I can't even get acme.sh to work with the ZeroSSL ACME server.. The Wiki says I can just run acme.sh --register with the EAB keys and "Done".. However, the next output when trying to get a cert issued is Create new order error. Le_OrderFinalize not found. "type":"urn:ietf:params:acme:error:malformed","status":400,"detail":"A Key ID MUST be specified" suggesting the EAB keys aren't used?
The ZeroSSL ACME documentation suggest to use the API key in stead of the EAB keys for "partner ACME clients", which acme.sh is, but I can't find anything about that on the acme.sh Wiki.. Ah well, strengthing my idea about the lack of proper documentation for acme.sh again unfortunately.. Although the REST API is not the same as the ACME server, so all those "free certificates without limitations" wouldn't be applicable if using the API key..
If it's even impossible to get the ZeroSSL ACME server working with a "partner ACME client", well, I can imagine they offer everything for free using their ACME server.. Smart way of making more moneyz!
Anyway, if you want it "the standard way" you always needed to configure your certs with the --always-force-new-domain-key option to get a sensible key rotation. This new change is pretty similar: If you want to keep the old behavior you can still do it, you just need to configure it. Obviously configuration is always hard for non-informed users, but acme.sh has never been a does-not-need-configuring type of script.
For users who want to stick with Let's Encrypt and acme.sh, you can easily set the default CA to Let's Encrypt via the --set-default-ca command line argument. You only need this once, thus not requiring a --server letsencrypt each time you get a new cert. Compatibility with old certs is ensured anyway, but that's not the point here.
I personally use acme.sh for both Let's Encrypt and ZeroSSL certificates: First of all, this is incredibly easy with acme.sh, you can use both CA's side by side with this client. Second, the reason why I'm using two different CA's in the first place is client compatibility: The ZeroSSL chain (they're basically a reseller for Sectigo) is much more compatible than Let's Encrypts ISRG Root X1, so I'm using their certificates for services that need legacy compatibility and everything else gets their certificates from Let's Encrypt.
At a high level, ACME is pretty simple. An ACME client creates an account with an ACME server and submits a certificate order. The server responds with a set of challenges for the client to complete, to prove control over identifiers (domain names) in the certificate. Once the client successfully completes these challenges, it submits a certificate signing request (CSR) and the server issues a certificate.
Join our Solutions Engineering team as they show you how to get started using ACME in under three minutes with Smallstep Certificate Manager - all right in the product UI. You can sign up and get started here.
Apache httpd has integrated ACME support via mod_md. The v1.x.x releases only work with ACMEv1. The v2.x.x releases do support ACMEv2 but, unfortunately, I had trouble getting mod_md working with step-ca in time for this post. For now, we can deploy certificates to Apache the same way we did for Nginx: by using a command-line ACME client, configuring Apache to load a certificate and key from disk, and signaling the server after certificate renewals.
The second method is to use a DNS provider, such as Cloudflare which is demoed below, to verify ownership of the domain. You will need to define an \\.acme.sh\\account.conf file with the following values.
Starting from August-1st 2021, acme.sh will release v3.0, in which the default CA will use ZeroSSL instead.This change will only affect the newly created(issued) certs after August-1st (with v3.0), any pre-existing certs will still be renewed automatically aginst the current CA.
A couple of years ago it was acceptable to have a website running in plain HTTP mode, i.e. un-encrypted. If you were handling credit cards or needed a secure login area you could just encrypt that section of the website with an HTTPS/SSL certificate.
Let's Encrypt is a zero-cost certificate authority for HTTPS encryption, now trusted by all major root programs including Google, Microsoft, Apple, Mozilla and Oracle. Used in conjunction with freely available tools it provides automatic enrolment and renewal, and simple certificate creation, negating validation emails and manual configuration.
At the heart is the acme.sh shell script, probably one of the easiest and smartest client scripts around, which automatically issues and renews free certificates from Let's Encrypt using the Automatic Certificate Management Environment (ACME) protocol.
With lb-letsencrypt.sh, we provide a wrapper for acme.sh that gives the essential error-checking of the Loadbalancer.org config, the VIP and Stunnel information and specifies other utilities (email, batch, cron update).
Letsencrypt client integration work into Centmin Mod's Nginx web server started in Centmin Mod 123.09beta01 version and is now available in both Centmin Mod 124.00stable and 130.00beta01 versions. For details of the integration using Centmin Mod's addons/acmetool.sh addon script and underlying acme.sh client, check out official community forum thread available at Centmin Mod Letsencrypt Branch discussions.
Centmin Mod's addons/acmetool.sh addon script and underlying acme.sh client also support other Certificate Authority (CA) providers besides Letsencrypt. As such Centmin Mod also natively supports using SSL certificates provided by both ZeroSSL CA and Google Public CA. Read further below for details.
To be able to use Letsencrypt SSL certificate support in Centmin Mod Nginx, ensure you update your domain name's DNS A records for apex domain.com, www.domain.com and/or any subdomain.domain.com to point to Centmin Mod server's IP address. This is required as Letsencrypt needs to validate your domain name to see if resolves and contacts your Centmin Mod Nginx server's domain vhost site. By default, Letsencrypt domain validation is done via web root authentication method where the client automatically generates a challenge file at -known/acme-challenge/*.
Centmin Mod's addons/acmetool.sh addon script and underlying acme.sh client also supports DNS domain validation where the client automatically generates a DNS TXT record via your domain's DNS provider's API and Letsencrypt then reads that generated DNS TXT record to validate your domain for SSL certificate issuance. Read further below for Letsencrypt DNS API validation details.
To enable native Letsencrypt SSL certificate support for Centmin Mod Nginx, you need to set in persistent config file /etc/centminmod/custom_config.inc (create the file if it does not already exist), the following variable LETSENCRYPT_DETECT='y'. This will allow Centmin Mod Nginx's vhost creation routines to use addons/acmetool.sh addon script to obtain free Letsencrypt SSL certificates for the desired Nginx vhost domain name. If this variable isn't set, Nginx vhost generation can optionally default to creating self-signed SSL certificates in it's place which are not web browser trusted SSL certificates so will report as invalid SSL certificates. But this allows you to do developer testing for a HTTPS SSL certificate enabled site without having to issue an actual web browser trusted SSL certificate. Useful if you don't need for web browser trusted SSL certificate during testing which will show up in publicly searchable SSL certificate transparency logs.
Originally, switching to ZeroSSL certificates was a workaround for Letsencrypt DST Root CA X3 root certificate expiration on September 30, 2021 as a way of regaining older device compatibility with your Centmin Mod Nginx HTTPS web sites which used Letsencrypt SSL certificates. However, you can choose to use free ZeroSSL SSL certificates instead of free Letsencrypt SSL certificates for everyday use. Or switch between the two CA providers if you wish.
ZeroSSL website lists a side by side comparison with Letsencrypt. The main differences is that ZeroSSL has no rate limits for SSL certificate issuance and has a GUI based management console for issued SSL certificates.
ls -lah /root/.acme.sh/ca/total 0drwxr-xr-x 4 root root 66 Sep 26 00:39 .drwx------ 9 root root 233 Sep 30 23:43 ..drwxr-xr-x 3 root root 23 Sep 26 00:06 acme-v02.api.letsencrypt.orgdrwxr-xr-x 3 root root 16 Sep 26 00:39 acme.zerossl.com
/usr/local/src/centminmod/addons/acmetool.sh checkdates----------------------------------------------nginx installed----------------------------------------------/usr/local/nginx/conf/ssl/zerossl.domain.com/zerossl.domain.com-acme.cerSHA1 Fingerprint=06FE84519E09ACB75BBE11EDF26F7D41D0Bxxxxxcertificate expires in 83 days on 25 Dec 2021/usr/local/nginx/conf/ssl/letsencrypt.domain.com/letsencrypt.domain.com-acme.cerSHA1 Fingerprint=423A55D99E8BEEBBC4C42C82E2C8683684Cxxxxxcertificate expires in 87 days on 29 Dec 2021----------------------------------------------acme.sh obtained----------------------------------------------/root/.acme.sh/zerossl.domain.com/zerossl.domain.com.cerSHA1 Fingerprint=06FE84519E09ACB75BBE11EDF26F7D41D0Bxxxxx[ below certifcate transparency link is only valid 1hr after issuance ] =06FE84519E09ACB75BBE11EDF26F7D41D0Bxxxxxcertificate expires in 83 days on 25 Dec 2021/root/.acme.sh/letsencrypt.domain.com/letsencrypt.domain.com.cerSHA1 Fingerprint=423A55D99E8BEEBBC4C42C82E2C8683684Cxxxxx[ below certifcate transparency link is only valid 1hr after issuance ] =423A55D99E8BEEBBC4C42C82E2C8683684Cxxxxxcertificate expires in 87 days on 29 Dec 2021 2ff7e9595c
Comments