Ask HN: What is your experience with ZeroSSL?

3 points by grodriguez100 ↗ HN
Last month, Let's Encrypt made some changes to their certificate chain in order to reduce traffic exchange during a TLS handshake and also their operating costs; the details are explained here [1].

As a result, any certificates issued (or renewed) after Feb 8th will not work on older Android devices (< 7.1.1), unless the ACME client has been configure to request an alternate certificate chain. The "alternate chain" workaround will also stop working on June 6th.

I need to support these older Android devices so I am looking for alternatives. I have seen ZeroSSL mentioned a few times; it is also the default CA for acme.sh (the ACME client I am using nowadays) [2]. They have a number of paid plans but ACME certificates are free [3].

I'll be testing this over the next few days, but I would also like to ask if people here have experience with ZeroSSL (good or bad :-). Any feedback would be helpful.

[1]: https://letsencrypt.org/2023/07/10/cross-sign-expiration.html

[2]: https://github.com/acmesh-official/acme.sh

[3]: https://zerossl.com/documentation/acme/

7 comments

[ 3.1 ms ] story [ 32.8 ms ] thread
I got weired errors including delivery of old, expired, certificates on renewal and api errors. I currently log into Google acme as alternative to LE to have a backup, the Android issue does not apply to my environment.
I'm curious, if the Android issue does not apply to you, why are you looking for alternatives to LE ?
Ha, thank you so much. I was puzzled why an old junk Android I have, rejected the cert on GitHub Pages. I had factory reset it and wondered if an OTA might fix it. Now I won't wait, I need to install the CA.
There was a point where acme.sh [1] changed their default from LetsEncrypt to ZeroSSL and that bit my automation because I only use wildcard certificates. ZeroSSL does not offer free wildcard certs [2] whereas LetsEncrypt does.

[1] - https://github.com/acmesh-official/acme.sh

[2] - https://zerossl.com/pricing/

Yes it does offer free wildcard certs (for ACME); see: https://zerossl.com/documentation/acme/

“By using ZeroSSL's ACME feature, you will be able to generate an unlimited amount of 90-day SSL certificates at no charge, also supporting multi-domain certificates *and wildcards*. Each certificate you create will be stored in your ZeroSSL account.”

Interesting. Perhaps the error I received at the time was worded poorly giving me the impression there was a cost. Thank-you for the clarification. For now I will stick with LE as I do not have to create an account but I will keep ZeroSSL in mind should LE change things up.

[Edit] I remember now what led me to this conclusion. The error said I needed an account. I looked at the pricing page which indicated I had to pay for wildcards so I immediately looked for the flag to change back to LE. Looking at the pricing page I would still reach this conclusion. There should be some text that makes it obvious that using ACME allows for free wildcards.

Yes, you are right. The pricing page is confusing and it does not explain clearly that all the paid plans are not needed for ACME stuff.

I am not sure if this is an oversight or done on purpose..