diff --git a/ZeroSSL.com-CA.md b/ZeroSSL.com-CA.md index 343c165..a746348 100644 --- a/ZeroSSL.com-CA.md +++ b/ZeroSSL.com-CA.md @@ -1,66 +1,65 @@ -Using ZeroSSL.com CA - +## Using ZeroSSL.com CA -See also: https://github.com/acmesh-official/acme.sh/wiki/Change-default-CA-to-ZeroSSL +ZeroSSL doesn't have rate limits. One can issue _unlimited_ TLS/SSL certificate valid for 90 days ([ref](https://zerossl.com/letsencrypt-alternative/#acme)). +Note: Since `v3`, `acme.sh` uses Zerossl as the default Certificate Authority (CA). Account registration (one-time) is required before one can issue new certs. See also: https://github.com/acmesh-official/acme.sh/wiki/Change-default-CA-to-ZeroSSL +### 1. Register your account. -ZeroSSL doesn't have staging and no production rate limit, you can issue unlimited SSL of 90 days. +##### 1a. With an email address -Alternatively you can create account and grab your acme credentials faster on [ZeroSSL ](https://zerossl.com) and even manage issued SSL. - - -https://zerossl.com/letsencrypt-alternative/#acme - -Note: - From acme.sh v3.0.0, acme.sh is using Zerossl as default ca, you must register the account first(one-time) before you can issue new certs. - - - - -### 1. Register your account with an email address: - -``` +```bash acme.sh --register-account -m myemail@example.com --server zerossl ``` -``` -If you already have an account at www.zerossl.com, -you can also register your acme account with External Account Binding (EAB) credentials. +##### 1b. With EAB credentials -1. Generate your EAB credentials at: https://app.zerossl.com/developer -2. Register acme account: +Alternatively, if you sign up for a [ZeroSSL account](https://app.zerossl.com/signup), bootstrap `acme.sh` with _External Account Binding_ (EAB) credentials, like so: +1. Generate your EAB credentials from https://app.zerossl.com/developer +2. Register your EAB credentials. +```bash acme.sh --register-account --server zerossl \ --eab-kid xxxxxxxxxxxx \ --eab-hmac-key xxxxxxxxx ``` -### 2. Done. You can use Zerossl.com with `--server zerossl` as normal now. +Users with a ZeroSSL account can manage issued certificates from [developer console](https://zerossl.com/features/console/). -``` +### 2. Issue certificates + +Use Zerossl.com with `--server zerossl`: + +```bash acme.sh --server zerossl \ --issue -d example.com \ --dns dns_cf ``` -### 3. If you don't want to specify `--server zerossl` every time you issue a cert, you can set `zerossl` as the default CA: +If you don't want to specify `--server zerossl` every time you issue a cert, you can set `zerossl` as the default CA: -``` +```bash acme.sh --set-default-ca --server zerossl ``` -See: https://github.com/acmesh-official/acme.sh/wiki/Server +Read: https://github.com/acmesh-official/acme.sh/wiki/Server -Then you can issue any cert from zerossl: +Issue any cert _from_ zerossl without having to specify `--server`: -``` +```bash acme.sh --issue -d example.com --dns dns_cf ``` +### 3. Troubleshooting -More details: +##### Le_OrderFinalize: A KeyID must be specified +If certificate issuance fails and you see something like this in the logs +```shell +[XYZ 18 09:50:07 -02 2020] Create new order error. Le_OrderFinalize not found. +{"type":"urn:ietf:params:acme:error:malformed","status":400,"detail":"A Key ID MUST be specified"} +``` +then, re-generate your EAB credentials (refer step #2) and [re-run certificate issuance](https://github.com/acmesh-official/acme.sh/wiki/How-to-issue-a-cert). See: [acme.sh/issues/3310](https://github.com/acmesh-official/acme.sh/issues/3310#issuecomment-785374480). -https://github.com/acmesh-official/acme.sh/wiki/How-to-issue-a-cert +----