Details were in the context of acme.sh v2.x being the current version. I have updated the details to reflect the fact that v3.x is the current version. Also provided English grammar copyedit.

master
Jivan Pal 2022-08-14 19:38:18 +01:00
parent 66922bb460
commit 74ea8a6b43
2 changed files with 47 additions and 61 deletions

@ -1,61 +0,0 @@
As for now, if no `server` is provided, or you have not `--set-default-ca` yet, acme.sh uses letsencrypt as the default CA.
https://github.com/acmesh-official/acme.sh/wiki/Server
Starting from `August-1st 2021`, acme.sh will release v3.0, in which the default CA will use [ZeroSSL](https://github.com/acmesh-official/acme.sh/wiki/ZeroSSL.com-CA) instead.
This change will only affect the newly created(issued) certs after `August-1st` (with v3.0), any pre-existing certs will still be renewed automatically against the current CA.
Q&A:
1. As an existing user, what do I need to do?
Generally, nothing needs to do. (If auto-upgrade is enabled, acme.sh can upgrade itself).
No matter acme.sh is upgraded to v3.0 or not, your existing certs will be renewed as before, against the same CA it's currently using.
2. Will I still be able to use letsencrypt then?
Yes, of course. You are still free to use any supported CA with providing `--server` parameter.
```
acme.sh --issue -d example.com --dns dns_cf --server letsencrypt
```
3. What if I don't like this change? I want to stick to letsencrypt?
Yes, sure. You can `--set-default-ca` now or any time you like. Then acme.sh will always use the default ca you set:
```
acme.sh --set-default-ca --server letsencrypt
```
If you set the default CA, acme.sh will respect your choice first. It will always use this default ca in the future, no matter in `v2.*`, `v3.*` or any future `v4.*`.
**acme.sh always respects your choice first, and will never make any changes to your files without your permissions.**
4. My current cert is using letsencrypt, Will it be changed when renewed then?
No, and never. Don't worry. when your cert is renewed, it will use the current CA, not the default CA.
5. As a new user after `August-1st 2021`(v3.0), what will it look like to me?
You can install acme.sh as normal, nothing is changed.
You can also issue certs as normal [See how to issue a cert](https://github.com/acmesh-official/acme.sh/wiki/How-to-issue-a-cert):
```
acme.sh --issue -d example.com --dns dns_cf
```
The cert will be issued with the default CA [ZeroSSL](https://github.com/acmesh-official/acme.sh/wiki/ZeroSSL.com-CA)
You can also try with letsencrypt:
```
acme.sh --issue -d example.com --dns dns_cf --server letsencrypt
```
There is a comparison: ZeroSSL vs Let's Encrypt:
https://zerossl.com/letsencrypt-alternative/

47
Change-default-CA.md Normal file

@ -0,0 +1,47 @@
When issuing a cert, if no CA is specified via the `--server` parameter, the default CA is used. The default CA can be changed via the `--set-default-ca` option. As of acme.sh v3.0 (August 1, 2021), the default CA after installation is ZeroSSL. Prior to this, it was Let's Encrypt.
See [Server](https://github.com/acmesh-official/acme.sh/wiki/Server) for a list of valid CAs that can be passed to `--server` and `--set-default-ca`.
The default CA is not used when renewing certs that have already been issued. As such, the change of default CA from Let's Encrypt to ZeroSSL only affects certs issued with the `--issue` option using acme.sh v3.0 or later. Renewal requests for any certs already issued using an older version of acme.sh will still be sent to the CA they were originally issued by. If you never used `--server` or `--set-default-ca` in older versions of acme.sh, this means that your existing certs will continue to be renewed by Let's Encrypt.
### FAQ
1. As an existing user, what do I need to do?
Generally, nothing needs to be done. (If auto-upgrade is enabled, acme.sh can upgrade itself.) Whether acme.sh is upgraded to v3.0 or not, your existing certs will be renewed as before, against the same CA they were issued by.
2. Will I still be able to use Let's Encrypt?
Yes, of course. You are still free to use any supported CA by providing the `--server` parameter:
```
acme.sh --issue -d example.com --dns dns_cf --server letsencrypt
```
3. What if I don't like this change? I want to stick to Let's Encrypt?
You can use `--set-default-ca` at any time. Then acme.sh will always use the default CA you set:
```
acme.sh --set-default-ca --server letsencrypt
```
In all versions of acme.sh, if you explicitly the default CA using this option, acme.sh will use this choice if `--server` is not specified.
4. My current cert is using Let's Encrypt, will it be changed when renewed after I upgrade to acme.sh v3.0 or later?
No, and never. Don't worry. when your cert is renewed, it will use the current CA, not the new default CA.
5. As a new user of v3.0 or later, what will it look like to me?
You can install acme.sh as normal, nothing has changed.
You can also issue certs as normal. See [How to issue a cert](https://github.com/acmesh-official/acme.sh/wiki/How-to-issue-a-cert):
```
acme.sh --issue -d example.com --dns dns_cf
```
The cert will be issued with the default CA, [ZeroSSL](https://github.com/acmesh-official/acme.sh/wiki/ZeroSSL.com-CA).
You can also try with letsencrypt:
```
acme.sh --issue -d example.com --dns dns_cf --server letsencrypt
```
Here is a comparison of ZeroSSL and Let's Encrypt: https://zerossl.com/letsencrypt-alternative/