2021-08-19
Trying zerossl as backup certificate provider 1 month ago
Based on the recent article Here's another free CA as an alternative to Let's Encrypt! I decided to check my options for having an alternative to LetsEncrypt. Not because I have or had any problems with LetsEncrypt, but I like having a backup option. So I started with zerossl as option. Sofar I did the whole registration and certificate request dance purely with the dehydrated client, but that gives an error on a certificate request:
+ Requesting new certificate order from CA... + Received 2 authorizations URLs from the CA + Handling authorization for developer.virtualbookcase.com + Handling authorization for perl.virtualbookcase.com + 2 pending challenge(s) + Deploying challenge tokens... + Responding to challenge for developer.virtualbookcase.com authorization... + Challenge is valid! + Responding to challenge for perl.virtualbookcase.com authorization... + Challenge is valid! + Cleaning challenge tokens... + Requesting certificate... + Order is processing... ERROR: Order in status invalidCreating a zerossl account with a webbrowser and setting the EAB_KID and EAB_HMAC_KEY to the values from my zerossl account also doesn't help, that also ends with$ ./dehydrated/dehydrated --ca zerossl --config /etc/dehydrated/config.zerossl -s httprenewable/webserver-devvirtualbookcase.csr > tmp/certificate.crt + Requesting new certificate order from CA... + Received 2 authorizations URLs from the CA + Handling authorization for developer.virtualbookcase.com + Handling authorization for perl.virtualbookcase.com + 2 pending challenge(s) + Deploying challenge tokens... + Responding to challenge for developer.virtualbookcase.com authorization... + Challenge is valid! + Responding to challenge for perl.virtualbookcase.com authorization... + Challenge is valid! + Cleaning challenge tokens... + Requesting certificate... + Order is processing... ERROR: Order in status invalidI realized a certificate for multiple names isn't supported by the free tier of zerossl.Removing one of the names from the certificate still made it end up in status 'invalid'. Also re-creating the account in dehydrated after creating the zerossl account and setting the EAB_KID and EAB_HMAC_KEY variables correctly didn't solve things yet. The same request works fine with LetsEncrypt so the issue is something with dehydrated / zerossl. Update: Sharing my woes gave a suggestion: Stephen Harris on Twitter: "@khoos You have a CAA record for virtualbookcase.com that might be blocking it." / Twitter and Stephen is absolutely right: I set up CAA records ages ago for all my domains. And the zerossl CAA document I can find absolutely agrees I need to add a CAA record allowing certificates by sectigo.com. Updated: And after waiting for DNS propagation and trying again I now have a zerossl.com certificate:Certificate: Data: Version: 3 (0x2) Serial Number: 4e:7b:c8:e9:ad:fd:14:ad:5c:ae:a2:57:fe:45:d9:41 Signature Algorithm: ecdsa-with-SHA384 Issuer: C = AT, O = ZeroSSL, CN = ZeroSSL ECC Domain Secure Site CA Validity Not Before: Aug 19 00:00:00 2021 GMT Not After : Nov 17 23:59:59 2021 GMT Subject: CN = perl.virtualbookcase.com
Based on the recent article