What is your experience with ZeroSSL?

Question

Last month, Let's Encrypt made some changes to their certificate chain in order to reduce traffic exchange during a TLS handshake and also their operating costs; the details are explained here [1].As a result, any certificates issued (or renewed) after Feb 8th will not work on older Android devices (< 7.1.1), unless the ACME client has been configure to request an alternate certificate chain. The "alternate chain" workaround will also stop working on June 6th.I need to support these older Android devices so I am looking for alternatives. I have seen ZeroSSL mentioned a few times; it is also the default CA for acme.sh (the ACME client I am using nowadays) [2]. They have a number of paid plans but ACME certificates are free [3].I'll be testing this over the next few days, but I would also like to ask if people here have experience with ZeroSSL (good or bad :-). Any feedback would be helpful.[1]: https://letsencrypt.org/2023/07/10/cross-sign-expiration.html[2]: https://github.com/acmesh-official/acme.sh[3]: https://zerossl.com/documentation/acme/

evrflx · Accepted Answer

I got weired errors including delivery of old, expired, certificates on renewal and api errors. I currently log into Google acme as alternative to LE to have a backup, the Android issue does not apply to my environment.

beardyw · Answer

Ha, thank you so much. I was puzzled why an old junk Android I have, rejected the cert on GitHub Pages. I had factory reset it and wondered if an OTA might fix it. Now I won't wait, I need to install the CA.

LinuxBender · Answer

There was a point where acme.sh [1] changed their default from LetsEncrypt to ZeroSSL and that bit my automation because I only use wildcard certificates. ZeroSSL does not offer free wildcard certs [2] whereas LetsEncrypt does.
[1] - https://github.com/acmesh-official/acme.sh
[2] - https://zerossl.com/pricing/