undefined | Better HN

0 pointskouteiheika4y ago0 comments

> and you can switch transparently

> ZeroSSL.com

I kinda wish people would stop recommending them. This might have changed, but last time I tried ZeroSSL (~a year ago) it was not RFC 8555 compliant (specifically section 7.3.1), and you were basically supposed to use their own proprietary API to deal with the issue. So you can't always switch transparently.

If you need an alternative use Buypass. Also free, and they're actually RFC 8555 compliant.

0 comments

4 comments · 3 top-level

tlamponi4y ago· 1 in thread

FWIW: I'm not recommending anything, just listing a few providers that claim to be ACME conform, to be specific I took the list from the acme.sh:

https://github.com/acmesh-official/acme.sh#supported-ca

But it seems that acme.sh got bought by zero ssl, which would explain that it's their default now..

Out of honest interest, where did they fail to honor "7.3.1 Finding an Account URL Given a Key"?

kouteiheikaOP4y ago

> Out of honest interest, where did they fail to honor "7.3.1 Finding an Account URL Given a Key"?

Well... it doesn't work. Let me quote the RFC:

> If the server receives a newAccount request signed with a key for which it already has an account registered with the provided account key, then it MUST return a response with status code 200 (OK) and provide the URL of that account in the Location header field.

With ZeroSSL you could only call `newAccount` once; any subsequent call will fail, while according to the RFC it should return the URL of the account. So you have to either a) use their proprietary API to recover the URL (I sent them a bug report for this and that's what they basically told me), or b) save the URL along with the account key (which you don't have to do for any other ACME provider).

iostream234y ago

Buypass saved the day last month. We were suddenly not working in older browsers due to rhe expired root cert, and just one server flag on the certbot invocation and now we are good until 2040. Yay ACME protocol and yay Buypass

gsich4y ago

Whats the issue with that? I use ZeroSSL and never had to use their non-ACME-API.

j / k navigate · click thread line to collapse