github
/
acme.sh
mirror of https://github.com/acmesh-official/acme.sh
1
0
Fork 0
Code Issues Releases Wiki Activity

fmt, copy-edits, and a new troubleshooting section

master
ignoramous 2021-11-11 23:38:36 +05:30
parent 2ea992981f
commit 930482b640
1 changed files with 31 additions and 32 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

63
ZeroSSL.com-CA.md

@ -1,66 +1,65 @@
Using ZeroSSL.com CA
## Using ZeroSSL.com CA
ZeroSSL doesn't have rate limits. One can issue _unlimited_ TLS/SSL certificate valid for 90 days ([ref](https://zerossl.com/letsencrypt-alternative/#acme)).
See also: https://github.com/acmesh-official/acme.sh/wiki/Change-default-CA-to-ZeroSSL
Note: Since `v3`, `acme.sh` uses Zerossl as the default Certificate Authority (CA). Account registration (one-time) is required before one can issue new certs. See also: https://github.com/acmesh-official/acme.sh/wiki/Change-default-CA-to-ZeroSSL
### 1. Register your account.
##### 1a. With an email address
ZeroSSL doesn't have staging and no production rate limit, you can issue unlimited SSL of 90 days.
Alternatively you can create account and grab your acme credentials faster on [ZeroSSL ](https://zerossl.com) and even manage issued SSL.
https://zerossl.com/letsencrypt-alternative/#acme
Note:
From acme.sh v3.0.0, acme.sh is using Zerossl as default ca, you must register the account first(one-time) before you can issue new certs.
### 1. Register your account with an email address:
```
```bash
acme.sh --register-account -m myemail@example.com --server zerossl
```
```
If you already have an account at www.zerossl.com,
you can also register your acme account with External Account Binding (EAB) credentials.
##### 1b. With EAB credentials
1. Generate your EAB credentials at: https://app.zerossl.com/developer
2. Register acme account:
Alternatively, if you sign up for a [ZeroSSL account](https://app.zerossl.com/signup), bootstrap `acme.sh` with _External Account Binding_ (EAB) credentials, like so:
1. Generate your EAB credentials from https://app.zerossl.com/developer
2. Register your EAB credentials.
```bash
acme.sh --register-account --server zerossl \
--eab-kid xxxxxxxxxxxx \
--eab-hmac-key xxxxxxxxx
```
### 2. Done. You can use Zerossl.com with `--server zerossl` as normal now.
Users with a ZeroSSL account can manage issued certificates from [developer console](https://zerossl.com/features/console/).
```
### 2. Issue certificates
Use Zerossl.com with `--server zerossl`:
```bash
acme.sh --server zerossl \
--issue -d example.com \
--dns dns_cf
```
### 3. If you don't want to specify `--server zerossl` every time you issue a cert, you can set `zerossl` as the default CA:
If you don't want to specify `--server zerossl` every time you issue a cert, you can set `zerossl` as the default CA:
```
```bash
acme.sh --set-default-ca --server zerossl
```
See: https://github.com/acmesh-official/acme.sh/wiki/Server
Read: https://github.com/acmesh-official/acme.sh/wiki/Server
Then you can issue any cert from zerossl:
Issue any cert _from_ zerossl without having to specify `--server`:
```
```bash
acme.sh --issue -d example.com --dns dns_cf
```
### 3. Troubleshooting
More details:
##### Le_OrderFinalize: A KeyID must be specified
If certificate issuance fails and you see something like this in the logs
```shell
[XYZ 18 09:50:07 -02 2020] Create new order error. Le_OrderFinalize not found.
{"type":"urn:ietf:params:acme:error:malformed","status":400,"detail":"A Key ID MUST be specified"}
```
then, re-generate your EAB credentials (refer step #2) and [re-run certificate issuance](https://github.com/acmesh-official/acme.sh/wiki/How-to-issue-a-cert). See: [acme.sh/issues/3310](https://github.com/acmesh-official/acme.sh/issues/3310#issuecomment-785374480).
https://github.com/acmesh-official/acme.sh/wiki/How-to-issue-a-cert
----