Important note: ZeroSSL is not a certificate authority but a certificate reseller who is paying an actual CA, Sectigo, to operate a white-label intermediate certificate with ZeroSSL in the name[1].

As a non-CA, ZeroSSL isn't required to provide an incident report or revoke any certificates like the researcher is requesting. Fortunately, their bad security can only impact their own customers, in contrast to a CA whose bad security can affect everyone.

[1] see https://www.agwa.name/blog/post/the_certificate_issuer_field...

Sectigo might be required to revoke them, then? There doesn't seem to be a requirement for the compromise to be Sectigo's fault, according to my reading of the Baseline Requirements [1]:

> The CA SHOULD revoke a certificate within 24 hours and MUST revoke a Certificate within 5 days if one or more of the following occurs: (...)

> 16. The CA is made aware of a demonstrated or proven method that exposes the Subscriber’s Private Key to compromise or if there is clear evidence that the specific method used to generate the Private Key was flawed.

[1] https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-...

ZeroSSL left an uncanny impression on me when for some reason acme.sh developers made them default instead of Let's Encrypt. This prompted me to switch to a different client (just in case of further worsening of Let's Encrypt support by acme.sh).

I prefer ZeroSSL to Let's Encrypt. ZeroSSL has no rate limit, and most importantly they have full ECC support. With Let's Encrypt, even if I request for an ECC cert, the intermediate CA is still RSA, drastically increasing the certificate size (they have their reasons of compatibility, but I don't care about that).

LetsEncrypt now has an ECC root and intermediates. You have to request the account ID to be included, and after which, the intermediate and root certificates will be ECC. More information here: https://community.letsencrypt.org/t/ecdsa-availability-in-pr...

The alternative you suggest has a longer chain of certificates, and more difficult setup. Using ZeroSSL is way easier with less bytes on the TLS handshake.

Do you have a test host with the Zerossl chain that you speak of? Use https://aye.sh if you want to try a host using the ECC chain from LE.

So the article is outdated I guess. The length of the chain is the same now.

I'll consider switching back to Let's Encrypt once this setup doesn't require a whitelist.

I believe zerossl chain (really sectigo) is trusted by more devices than the new isrg root (mostly old unupdated ones). Also zerossl has fewer limits in their acme implementation. Downsides are zerossl has some questionable security practices and also I think zerossl either dont support tls-alpn-01 validation or it’s just broken

Which client did you end up on? The list is somewhat overwhelming.

Going to throw another hat into the ring here: I use acme-tiny [1], which is a single file ACME client written in Python in under 200 lines. The idea behind it is that you can fully read and understand everything it does without spending too much time on it. I really like this approach, so I went ahead and started using it, and have been for a few years now.

[1] https://github.com/diafygi/acme-tiny

I too am moving away from acme.sh for the same reason. Dehydrated looks nice but I started using goacme.

https://github.com/go-acme/lego

I wasn't set on only bash though.

dehydrated, as it has little dependencies.

Before 2020, ZeroSSL used to be a browser-based acme client using Lets Encrypt. I don't doubt that money was involved, and they switched to Comodo (now Sectigo), with no notice that I could think of. I used them for a few one-off certificates, but this rug-pull caught me off guard. I'd happily watch if they go down in this dumpster fire.

ZeroSSL is pretty much the worst. If you need TLS certs, don't use them.

What other options are there that support old clients and are free + automatable?

It’s all well and good to prefer Lets Encrypt if your clients are using web browsers, but it is not suitable for more exotic cases. E.g video streaming, where clients can be things like many years old copies of VLC, which no longer trust Lets Encrypt certs

gogetssl.com issues free 90 day Sectigo (formerly Comodo) certificates and they have an ordering API. Caveats: 1) I don't know if those certificates will work in old VLC clients or whatever. 2) After you order the certificate you get an email from the CA with a link that you have to click saying that you approve issuance. I don't know what happens if you try to automate that.

For me the main hassle of LetsEncrypt is the 90 day rotation and there have been situations where I'd rather just pay for a longer lasting certificate. Gogetssl (above) sells 5 year DV Sectigo certificates for $16, it looks like.

Ignore the prices shown on the not-logged-in part of the site: sign up for their "reseller" program (you get approved right away automatically) and you can see their real price list while you are logged in.

Just to note if you're using these certs for the web browsers won't trust long life certs nowadays: https://chromium.googlesource.com/chromium/src/+/HEAD/net/do...

Thanks. I used to work at a MSP an we had a white label comodo reseller account and this looks useful for a few purposes.

I had a very similar problem with older clients attempting to connect to streaming sites hosted on a WHM cluster. One day Let's Encrypt certs stopped being trusted on some of the older client machines. Fortunately, the provider from cPanel was also free and their certs worked (and still work) with older clients.

Could you provide more info?

Hmm… I’m wondering if this a security flaw on purpose so the NSA or other authorities have an easy backdoor?

Dehydrated.io, damn few dependencies.

You're welcome.

https://github.com/dehydrated-io/dehydrated

There's a number of these to consider: https://github.com/topics/acme-client