xf.is blog

List of free ACME SSL providers

Published (updated: ) in ssl.

Please note that many ACME clients only support Let’s Encrypt. Certbot should work with alternative ACME providers.

Buypass Go SSL

Norwegian certificate authority offering free SSL certificates valid for 180 days (Technical specifications). No wildcard certificates.

ACME directory url: https://api.buypass.com/acme/directory

Chains up to “Buypass Class 2 Root CA” valid until 2040

DNS CAA: buypass.com

Rate limits: 20 per registered domain/week, 5 duplicate certificates/week.

Example commands for Certbot / acme.sh:

# Certbot
certbot register -m 'YOUR_EMAIL' --agree-tos  \
         --server 'https://api.buypass.com/acme/directory'

certbot certonly --webroot -w /var/www/example.com/public_html/ \
         -d example.com -d www.example.com \
         --server 'https://api.buypass.com/acme/directory'

# acme.sh
acme.sh --server https://api.buypass.com/acme/directory  \
         --register-account --accountemail me@example.com

acme.sh --server https://api.buypass.com/acme/directory  \
         --issue -d example.com -d www.example.com \
         --webroot /var/www/example.com/public_html/ \
         --days 170

Let’s Encrypt

US based certificate authority offering free certificates valid for 90 days. Currently default in most ACME clients (certbot, acme.sh etc.).

Offers wildcard certificate using DNS challenge.

Chains up to “ISRG Root X1” (valid until 2035) or “DST Root CA X3” (valid until 2021-09-30).

Can potentially cause issue for older clients when the DST Root CA expires if they do not have the ISRG root certificate installed. One example is older Android clients but support for ISRG Root X1 was added in Android in version 7.1.1.

DNS CAA: letsencrypt.org

Rate limits: 50 per registered domain/week, 5 duplicate certificates/week.

Example commands for Certbot / acme.sh:

# Certbot
certbot register -m 'YOUR_EMAIL' --agree-tos 

certbot certonly --webroot -w /var/www/example.com/public_html/ \
         -d example.com -d www.example.com

# acme.sh
acme.sh --register-account --accountemail me@example.com

acme.sh  --issue -d example.com -d www.example.com \
         --webroot /var/www/example.com/public_html/

ZeroSSL

ZeroSSL is a Austrian certificate authority offering free certificates valid for 90 days using root provided by Sectigo (UK).

Offers wildcard certificate using DNS challenge.

ZeroSSL requires users to sign-up on their website in order to generate external account binding (EAB) credentials under Dashboard -> Developer -> EAB Credentials for ACME Clients.

This means only ACME clients supporting external account binding (EAB) work with ZeroSSL (such as Certbot or acme.sh).

ACME directory url: https://acme.zerossl.com/v2/DV90

Chains up to “USERTrust RSA Certification Authority” valid until 2038 or all the way up to “AAA Certificate Services” valid until 2028.

Rate limits: No rate limits.

DNS CAA: sectigo.com

Example commands for Certbot:

# Certbot
certbot register -m 'YOUR_EMAIL' --agree-tos  \
         --server 'https://acme.zerossl.com/v2/DV90' \
         --eab-kid 'YOUR_EAB-KID' \
         --eab-hmac-key 'YOUR_EAB-HMAC-KEY'

certbot certonly --webroot -w /var/www/example.com/public_html/ \
         -d example.com -d www.example.com \
         --server 'https://acme.zerossl.com/v2/DV90' \
         --eab-kid 'YOUR_EAB-KID' \
         --eab-hmac-key 'YOUR_EAB-HMAC-KEY'         

# acme.sh
acme.sh  --register-account  --server zerossl \
         --eab-kid YOUR_EAB-KID  \
         --eab-hmac-key YOUR_EAB-HMAC-KEY

acme.sh --server zerossl \
         --issue -d example.com -d www.example.com \
         --webroot /var/www/example.com/public_html/

Thanks to Owen Sullivan for letting me know about ZeroSSL.