List of free ACME SSL providers
Published (updated: ) in ssl.
Please note that many ACME clients only support Let’s Encrypt. Certbot should work with alternative ACME providers.
Buypass Go SSL
Norwegian certificate authority offering free SSL certificates valid for 180 days (Technical specifications). No wildcard certificates.
ACME directory url: https://api.buypass.com/acme/directory
Chains up to “Buypass Class 2 Root CA” valid until 2040
DNS CAA: buypass.com
Rate limits: 20 per registered domain/week, 5 duplicate certificates/week.
Example commands for Certbot / acme.sh:
# Certbot
certbot register -m 'YOUR_EMAIL' --agree-tos \
--server 'https://api.buypass.com/acme/directory'
certbot certonly --webroot -w /var/www/example.com/public_html/ \
-d example.com -d www.example.com \
--server 'https://api.buypass.com/acme/directory'
# acme.sh
acme.sh --server https://api.buypass.com/acme/directory \
--register-account --accountemail [email protected]
acme.sh --server https://api.buypass.com/acme/directory \
--issue -d example.com -d www.example.com \
--webroot /var/www/example.com/public_html/ \
--days 170
Let’s Encrypt
US based certificate authority offering free certificates valid for 90 days. Currently default in most ACME clients (certbot, acme.sh etc.).
Offers wildcard certificate using DNS challenge.
Chains up to “ISRG Root X1” (valid until 2035) or “DST Root CA X3” (valid until 2021-09-30).
Can potentially cause issue for older clients when the DST Root CA expires if they do not have the ISRG root certificate installed. One example is older Android clients but support for ISRG Root X1 was added in Android in version 7.1.1.
DNS CAA: letsencrypt.org
Rate limits: 50 per registered domain/week, 5 duplicate certificates/week.
Example commands for Certbot / acme.sh:
# Certbot
certbot register -m 'YOUR_EMAIL' --agree-tos
certbot certonly --webroot -w /var/www/example.com/public_html/ \
-d example.com -d www.example.com
# acme.sh
acme.sh --register-account --accountemail [email protected]
acme.sh --issue -d example.com -d www.example.com \
--webroot /var/www/example.com/public_html/ZeroSSL
ZeroSSL is a Austrian certificate authority offering free certificates valid for 90 days using root provided by Sectigo (UK).
Offers wildcard certificate using DNS challenge.
ZeroSSL requires users to sign-up on their website in order to generate external account binding (EAB) credentials under Dashboard -> Developer -> EAB Credentials for ACME Clients.
This means only ACME clients supporting external account binding (EAB) work with ZeroSSL (such as Certbot or acme.sh).
ACME directory url: https://acme.zerossl.com/v2/DV90
Chains up to “USERTrust RSA Certification Authority” valid until 2038 or all the way up to “AAA Certificate Services” valid until 2028.
Rate limits: No rate limits.
DNS CAA: sectigo.com
Example commands for Certbot:
# Certbot
certbot register -m 'YOUR_EMAIL' --agree-tos \
--server 'https://acme.zerossl.com/v2/DV90' \
--eab-kid 'YOUR_EAB-KID' \
--eab-hmac-key 'YOUR_EAB-HMAC-KEY'
certbot certonly --webroot -w /var/www/example.com/public_html/ \
-d example.com -d www.example.com \
--server 'https://acme.zerossl.com/v2/DV90' \
--eab-kid 'YOUR_EAB-KID' \
--eab-hmac-key 'YOUR_EAB-HMAC-KEY'
# acme.sh
acme.sh --register-account --server zerossl \
--eab-kid YOUR_EAB-KID \
--eab-hmac-key YOUR_EAB-HMAC-KEY
acme.sh --server zerossl \
--issue -d example.com -d www.example.com \
--webroot /var/www/example.com/public_html/
Thanks to Owen Sullivan for letting me know about ZeroSSL.