In an early article titled "申请Let’s Encrypt 泛域名SSL证书 using acme.sh script", I shared how to apply for Let's Encrypt wildcard SSL certificates using the acme.sh script. With continuous updates from the acme.sh author, it now supports multiple certificate providers such as ZeroSSL, BuyPass, and Let's Encrypt.

It has been rumored that the Let's Encrypt OSCP server is blocked in China, resulting in slow loading speeds for websites using Let's Encrypt SSL for the first time. It is not yet clear if there is a solution for this issue (some say Let's Encrypt has replaced the OSCP server to resolve the problem, but it has not been verified by xiaoz). In any case, having more options is always beneficial. This article will share another SSL service provider called ZeroSSL.

About ZeroSSL

ZeroSSL was launched in 2016 and, like Let's Encrypt, its certificates have a validity period of only 90 days and support wildcard SSL certificates. Unlike Let's Encrypt, ZeroSSL API does not have rate limits, so there is no issue with multiple SSL certificate applications from the same IP address. ZeroSSL also provides a web interface for managing SSL certificates, making it more feature-rich compared to Let's Encrypt.

In the acme.sh documentation, it is mentioned that the default server for acme.sh is Let's Encrypt, but starting from August 1, 2021, with the release of version 3, the default server will be changed to ZeroSSL (reference: https://github.com/acmesh-official/acme.sh/wiki/Change-default-CA-to-ZeroSSL). This shows that ZeroSSL is becoming more popular and acme.sh is also aligning itself with ZeroSSL.

Installing acme.sh

acme.sh implements the ACME protocol and helps you quickly apply for SSL certificates, automatically update certificates, and simplifies the process. Before using it, we need to install it, and the following commands are executed on a Linux system.

# Install acme.sh
curl  https://get.acme.sh | sh

Yes, it's as simple as running a single command to install it. After installation, you can use acme.sh -v to check the current version.

[root@qcloud-cd ~]# acme.sh -v
https://github.com/acmesh-official/acme.sh
v2.9.0

Changing acme.sh server to ZeroSSL

In acme.sh version 2.x, Let's Encrypt is the default service provider. However, we can change it to ZeroSSL using the following command:

# Change the default service provider to ZeroSSL
acme.sh --set-default-ca --server zerossl

Configuring DNS API

SSL certificate validation can be done through DNS verification, file verification, and other methods. To facilitate applying for multiple domain names and future certificate updates, it is recommended to use the DNS API method. However, some setup is required before using it.

If you are using DNSPOD (Chinese version), the commands are as follows:

export DP_Id="1234"
export DP_Key="sADDsdasdgdsf"

The API key can be obtained from https://console.dnspod.cn/account/token/apikey.

If you are using Huawei Cloud DNS (Chinese version), the commands are as follows:

export HUAWEICLOUD_Username=<Your Username> # Usually hwxxxxxx
export HUAWEICLOUD_Password=<Your Password>
export HUAWEICLOUD_ProjectID=<A Project ID> 

• HUAWEICLOUD_Username: Huawei Cloud username
• HUAWEICLOUD_Password: Huawei Cloud password
• HUAWEICLOUD_ProjectID: Obtain it from My Credentials

acme.sh supports multiple DNS service providers, and they are not listed here. You can refer to the official documentation at https://github.com/acmesh-official/acme.sh/wiki/dnsapi for more information on setting them up.

ZeroSSL Usage Instructions

Before applying for a certificate, it is recommended to register an account on the ZeroSSL official website at https://zerossl.com/ so that it can be associated with the certificates obtained using acme.sh.

Also, please note that if you apply for an SSL certificate through the ZeroSSL website, the free account has a limit of 3 domains. However, there is no such limit when using acme.sh, so it is recommended to use acme.sh for simplicity and convenience.

Applying for ZeroSSL wildcard SSL certificates with acme.sh

For the first use, you need to register a ZeroSSL account (refer to the previous step). If you have already registered, the following command will automatically associate the account. Replace [email protected] with your own ZeroSSL email address:

acme.sh --register-account -m [email protected] --server zerossl

Taking the xiaoz.me domain as an example, which is using Huawei Cloud DNS, I have already set up the Huawei Cloud DNS API in the previous step. Now, you can apply for the certificate by running the following command:

# Apply for ZeroSSL wildcard SSL certificate
acme.sh --dns dns_huaweicloud --issue -d xiaoz.me -d *.xiaoz.me

If there are no errors during the application process, you can copy the SSL certificate to any desired location using the following command:

acme.sh --installcert -d xiaoz.me \
        --key-file /data/ssl/xiaoz.me.key \
        --fullchain-file /data/ssl/xiaoz.me.crt

The above command exports the xiaoz.me SSL certificate to the /data/ssl directory.

Deployment and Viewing

This article does not cover how to deploy SSL certificates. It is recommended to search online for instructions. After deployment, you can view the certificate information through a browser, as shown in the following screenshots.

Conclusion

ZeroSSL inherits almost all the features of Let's Encrypt and also supports web-based certificate management. Using acme.sh to apply for ZeroSSL certificates is also very simple. It is a perfect replacement for Let's Encrypt. However, just like Let's Encrypt, the free version SSL certificates have a validity period of only 90 days. Nevertheless, having another SSL service provider to choose from is great. So why not give it a try?

• ZeroSSL official website: https://zerossl.com/
• acme.sh project repository: https://github.com/acmesh-official/acme.sh