Using ZeroSSL.com CA
ZeroSSL doesn't have rate limits. One can issue unlimited TLS/SSL certificate valid for 90 days (ref).
Note: Since v3
, acme.sh
uses Zerossl as the default Certificate Authority (CA). Account registration (one-time) is required before one can issue new certs. See also: https://github.com/acmesh-official/acme.sh/wiki/Change-default-CA-to-ZeroSSL
1. Register your account.
1a. With an email address
acme.sh --register-account -m myemail@example.com --server zerossl
1b. With EAB credentials
Alternatively, if you sign up for a ZeroSSL account, bootstrap acme.sh
with External Account Binding (EAB) credentials, like so:
- Generate your EAB credentials from https://app.zerossl.com/developer
- Register your EAB credentials.
acme.sh --register-account --server zerossl \
--eab-kid xxxxxxxxxxxx \
--eab-hmac-key xxxxxxxxx
Users with a ZeroSSL account can manage issued certificates from developer console.
2. Issue certificates
Use Zerossl.com with --server zerossl
:
acme.sh --server zerossl \
--issue -d example.com \
--dns dns_cf
If you don't want to specify --server zerossl
every time you issue a cert, you can set zerossl
as the default CA:
acme.sh --set-default-ca --server zerossl
Read: https://github.com/acmesh-official/acme.sh/wiki/Server
Issue any cert from zerossl without having to specify --server
:
acme.sh --issue -d example.com --dns dns_cf
3. Troubleshooting
Le_OrderFinalize: A KeyID must be specified
If certificate issuance fails and you see something like this in the logs
[XYZ 18 09:50:07 -02 2020] Create new order error. Le_OrderFinalize not found.
{"type":"urn:ietf:params:acme:error:malformed","status":400,"detail":"A Key ID MUST be specified"}
then, re-generate your EAB credentials (refer step #2) and re-run certificate issuance. See: acme.sh/issues/3310.
Buy me a beer, Donate to acme.sh if it saves your time. Your donation makes acme.sh better: https://donate.acme.sh/
如果 acme.sh 帮你节省了时间,请考虑赏我一杯啤酒🍺, 捐助: https://donate.acme.sh/ 你的支持将会使得 acme.sh 越来越好. 感谢