iTranslated by AI
Getting Started with ZeroSSL: A Free SSL Certificate Alternative
Introduction
Do you know about ZeroSSL? Most of you who run personal websites are likely using Let's Encrypt.
Of course, I use it too. For engineers like myself, who generally understand how SSL works and know how to execute commands, obtaining an SSL certificate for a website isn't particularly difficult.
However, for those who aren't as familiar with the technical details, issuing an SSL certificate using commands like certbot can be quite challenging. That's where I'd like to introduce ZeroSSL.
What is ZeroSSL?
Perhaps because ZeroSSL is not yet widely known, searching for "ZeroSSL" on Google might hit blogs with titles like "Get a free certificate (Let’s Encrypt) using only your browser with ZeroSSL!" or "Prepare SSL certificates more easily with Let's Encrypt and ZeroSSL." In reality, however, Let's Encrypt and ZeroSSL are in competing positions.
Both are Certificate Authorities (CAs) that implement ACME (Automated Certificate Management Environment), a communications protocol for automating interactions between web servers and certificate authorities.
Comparison between ZeroSSL and Let's Encrypt
The comparison between Let's Encrypt and ZeroSSL is easy to understand when looking at the following contrast.
The main selling point of ZeroSSL is undoubtedly that you can issue SSL certificates using only your browser. You simply create a login account, click the "New Certificate" button, and follow the guide to easily issue a certificate. Once you download it, you just place the .crt and .key files as follows, and you're done. It's simple.
ssl_certificate /etc/zerossl/certificates/domain_name.crt;
ssl_certificate_key /etc/zerossl/certificates/domain_name.key;
While this configuration method is for Nginx, you can download the expected certificate format by choosing your desired format on ZeroSSL.
Update
Some might find the requirement to create an account on ZeroSSL—unlike with Let's Encrypt—to be confusing or a drawback. However, ZeroSSL allows you to issue not only free SSL certificates but also paid ones with longer expiration periods. Additionally, you can receive paid support.
This can be seen as the difference between Let's Encrypt, which is supported by corporate donations, and ZeroSSL, which operates as a commercial entity. I'll leave it to you to judge which will remain more stable and persist longer.
Why not just stick with Let's Encrypt?
I thought the same, but I recently came across an article.
In this article, researcher Scott Helme mentions that since Let's Encrypt has been the only provider of free SSL, it could become a single point of failure. ZeroSSL is introduced in this context.
While it's hard to imagine Let's Encrypt suddenly stopping, I agree with Scott Helme that the emergence of ZeroSSL has begun to change the ecosystem, which is a very good thing.
Summary
You might have been putting in the effort to install certbot and set it up in your crontab, but not everyone can do this. Some may even have servers where cron cannot be run. ZeroSSL reaches those specific needs. If you weren't confident about issuing or configuring SSL certificates, or if you've given up before, why not give it a try?
Bonus
Now, ZeroSSL is a very convenient service that issues certificates through just a browser and notifies you by email when the expiration date is near, but it would be ideal if the renewal of an issued SSL certificate could be done automatically. ZeroSSL provides a way to do this as well.
ACME has a mechanism called EAB (External Account Binding) that delegates authorization to an external service.
certbot-zerossl is a wrapper script that uses this mechanism to let ZeroSSL authorize via the EAB feature of certbot, which has traditionally been used exclusively for Let's Encrypt.
By looking at the source code, you can probably understand how it works. I also thought about using this script, but unfortunately, there was a major issue.
I don't like certbot
I am not a fan of certbot. Previously, I had introduced certbot and was running it on my own site, but one day after updating the OS packages (apt update), I didn't notice that certbot had stopped working, and the SSL certificate remained expired for a while.
Since then, I stopped using certbot. What I use instead is Lego.
Lego is a Let's Encrypt client written in Go. Since it's a single binary, it's very unlikely to stop working due to an OS update. I switched to lego in 2018, and I haven't had a single problem since.
Also, its footprint is incredibly light, so it runs quite happily even on servers with low memory.
Like certbot, lego also has an EAB feature. By providing the same details to lego as specified for certbot-zerossl, you can continue to renew SSL certificates via cron without introducing certbot.
#!/bin/bash
ACCESS_KEY=ZeroSSL_API_Access_Key
JSON=$(curl -s -X POST "https://api.zerossl.com/acme/eab-credentials?access_key=$ACCESS_KEY")
EAB_KEY=$(echo "$JSON" | jq -r .eab_kid)
EAB_HMAC_KEY=$(echo "$JSON" | jq -r .eab_hmac_key)
/usr/local/bin/lego \
--http.webroot /var/www/domain_name \
--path /etc/zerossl \
--http \
--eab --kid "$EAB_KEY" --hmac "$EAB_HMAC_KEY" \
--server "https://acme.zerossl.com/v2/DV90" \
--email "email_address" \
--domains "domain_name" \
-a renew
If you want to specify a folder that requires root privileges like /etc/zerossl, it is a good idea to configure sudoers. You can place the following file with a name like /etc/sudoers.d/lego-update.
mattn ALL=(ALL) NOPASSWD: /home/mattn/dev/lego/update.sh
Please update the username and path. If you register it in crontab, it would look something like this:
4 0 * * 0 sudo /home/mattn/dev/lego/update.sh
Of course, running it via system or root cron is also fine.
You can renew SSL certificates with a simple script like this. Since it authenticates via HTTP, the web server must already be running and serving /var/www/domain_name on port 80. By the way, just like certbot, you can also issue SSL certificates using lego. (Just change renew to run.)
In this way, by using ZeroSSL, you can issue and automatically renew free SSL certificates without having to rely on Let's Encrypt, which could have been considered a single point of failure.
Why not give it a try?
Update
Currently, it seems the ZeroSSL certificate installation confirmation button is not functioning. Apparently, you can just leave it alone, and the developers will confirm it properly later.
Discussion