github
/
acme.sh
mirror of https://github.com/acmesh-official/acme.sh
1
0
Fork 0
Code Issues Releases Wiki Activity
Page: Change of default CA to ZeroSSL
Pages
Blogs and tutorials BuyPass.com CA CA Change of default CA to ZeroSSL Code of conduct DNS API Dev Guide DNS API Structural Info description DNS API Test DNS alias mode DNS manual mode Deploy ssl certs to apache server Deploy ssl certs to nginx Deploy ssl to SolusVM Donate list Enable acme.sh log Exit Codes Explicitly use DOH Google Public CA Google Trust Services CA Home How to debug acme.sh How to install How to issue a cert How to run on DD WRT with lighttpd How to run on OpenWrt How to use Amazon Route53 API How to use Azure DNS How to use OVH domain api How to use Oracle Cloud Infrastructure DNS How to use lexicon DNS API How to use on Solaris based operating sytsems How to use on embedded FreeBSD Install in China Install preparations Issue a cert from existing CSR OVH Success Options and Params Preferred Chain Run acme.sh in docker SSL.com CA Server Simple guide to add TLS cert to cpanel Stateless Mode Synology NAS Guide Synology RT1900ac and RT2600ac install guide TLS ALPN without downtime Usage on Tomato routers Use DNS Exit DNS API Using pre hook post hook renew hook reloadcmd Using systemd units instead of cron Utilize multiple DNS API keys Validity ZeroSSL.com CA _Footer_ deploy to docker containers deployhooks dnsapi dnsapi2 dnscheck dnssleep how about the private key access modes, chmod, or chown or umask ipcert notify openvpn2.4.7服务端和客户端使用注意 revokecert sudo tlsa next key 如何安装 说明
1 Change of default CA to ZeroSSL
Roy Orbitson edited this page 2025-08-04 15:57:43 +09:30

Previously, if no server was provided, or if --set-default-ca was not run, acme.sh used letsencrypt as the default CA.

https://github.com/acmesh-official/acme.sh/wiki/Server

As of acme.sh v3.0, the default CA is now ZeroSSL.

This change will only affect the newly created(issued) certs after August-1st (with v3.0), any pre-existing certs will still be renewed automatically against the current CA.

Q&A:

  1. As an existing user, what do I need to do?

    Generally, nothing needs doing. (If auto-upgrade is enabled, acme.sh can upgrade itself). No matter if acme.sh is upgraded to v3.0 or not, your existing certs will be renewed as before, against the same CA they're currently using.

  2. Will I still be able to use letsencrypt then?

    Yes, of course. You are still free to use any supported CA by providing --server parameter.

    acme.sh --issue -d example.com --dns dns_cf --server letsencrypt

  3. What if I don't like this change, and want to stick to letsencrypt?

    Yes, sure. You can --set-default-ca now or any time you like. Then acme.sh will always use the default CA you set:

    acme.sh --set-default-ca --server letsencrypt

    If you set the default CA, acme.sh will respect your choice first. It will always use this default CA in the future, in v2.*, v3.* or any future v4.*.

    acme.sh always respects your choice first, and will never make any changes to your files without your permissions.

  4. My current cert is using letsencrypt, Will it be changed when renewed then?

    No, and never. Don't worry. when your cert is renewed, it will use the current CA, not the default CA.

  5. As a new user after August-1st 2021(v3.0), what will it look like to me?

    You can install acme.sh as normal, nothing has changed.

    You can also issue certs as normal. See how to issue a cert:

    acme.sh --issue -d example.com --dns dns_cf

    The cert will be issued with the default CA, ZeroSSL.

    You can also try with letsencrypt:

    acme.sh --issue -d example.com --dns dns_cf --server letsencrypt

Here is a comparison of ZeroSSL to Let's Encrypt:

https://zerossl.com/letsencrypt-alternative/