Switch From Letsencrypt to ZeroSSL Free SSL Certificates On Linux Server

[danjde]

Hi Devs,
in light of the recent Let'sencrypt DST Root CA X3 cross-sign expiration, our Italian association would like to try Zerossl certification authority,
In reason that ZeroSSL will in theory allow somewhat older devices to still work with ZeroSSL SSL certificates as they have three CA root certificates that are likely to be in devices’ trust stores.

Having said that I ask you if there is a specific documentation that helps the Linux admin to migrate form LE to Zerossl using acme.sh

Thanks

[0xMarcio]

I'll be doing same thing next week for a couple hundred websites spread out on 5 servers.
Right now I'm thinking, that I should re-register the acme.sh account with the argument: --server zerossl,
then write a script to re-issue all certificates with --force.
Secretly hoping there's a better way tho.

[Neilpang]

1.    use `--set-default-ca  --server zerossl`  to change the default ca
2.   use `--register-account -m my@example.com` to register account at zerossl
3.    remove the line of "Le_API='https://acme-v02.api.letsencrypt.org/directory'"   from all the domain conf at ~/.acme.sh/domain/domain.conf
4.  use `--renewall  --force`  to renew all the certs against zerossl.

[danjde]

Here I am,
I followed with extreme precision @Neilpang procedure, certificates are updated but still through LE.

Opening "~/.acme.sh/domain/domain.conf" many other parameters still point to LE, as you can see (I've edited some file parameters):

Le_Domain='server.mydomain.org'
Le_Alt='mydomain.org,www.mydomain.org,lists.mydomain.org,smtp.mydomain.org,mail.mydomain.org,autodiscover.mydomain.org,autoconfig.mydomain.org,upload.server.mydomain.org,upload.mydomain.org,www.converse.mydomain.org,converse.mydomain.org,conference.mydomain.org,cloud.mydomain.org,collabora.mydomain.org,turn.mydomain.org,attivazione.mydomain.org'
Le_Webroot='apache'
Le_PreHook=''
Le_PostHook=''
Le_RenewHook=''
Le_Keylength=''
Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize/123456780/123456780'
Le_LinkOrder='https://acme-v02.api.letsencrypt.org/acme/order/123456780/123456780'
Le_LinkCert='https://acme-v02.api.letsencrypt.org/acme/cert/123456789123456789123456789'
Le_CertCreateTime='1234567890'
Le_CertCreateTimeStr='mer  3 nov 2021, 09.55.27, UTC'
Le_NextRenewTimeStr='dom  2 gen 2022, 09.55.27, UTC'
Le_NextRenewTime='1234567890'
Le_RealCertPath='/etc/letsencrypt/live/server.mydomain.org/cert.pem'
Le_RealCACertPath=''
Le_RealKeyPath='/etc/letsencrypt/live/server.mydomain.org/privkey.pem'
Le_ReloadCmd='__ACME_BASE64__START_L3Vzci9123456789123456789123456789==__ACME_BASE64__END_'
Le_RealFullChainPath='/etc/letsencrypt/live/server.mydomain.org/fullchain.pem'
Le_Preferred_Chain='__ACME_BASE64__START_aXNyZw==__ACME_BASE64__END_'
Le_API='https://acme-v02.api.letsencrypt.org/directory'

What do you suggest? To remove all LE parameters or run acme.sh renevall with "--server" option as below?

acme.sh --renewall --server zerossl --force

Thanks!

[Neilpang]

@danjde

Sorry, it was my misssing.

In the step 3. please replace "Le_API='https://acme-v02.api.letsencrypt.org/directory'" with "Le_API='https://acme.zerossl.com/v2/DV90'"

[danjde]

None, the following steps seems not enough.
At the renew process, LE start again,

[mer 3 nov 2021, 11.42.46, CET] Using CA: https://acme-v02.api.letsencrypt.org/directory

acme.sh replace "Le_API='https://acme.zerossl.com/v2/DV90'" with "Le_API='https://acme-v02.api.letsencrypt.org/directory'"

This is the procedure followed:

acme.sh --set-default-ca --server zerossl
acme.sh --register-account -m my@example.com
replaced "Le_API='https://acme-v02.api.letsencrypt.org/directory'" with "Le_API='https://acme.zerossl.com/v2/DV90'" from all the domain conf at ~/.acme.sh/domain/domain.conf
acme.sh --renewall --force

thanks again

[danjde]

@Neilpang
it may be because in the last (LE) request did I use the "--preferred-chain "isrg" option?

thanks again

[Neilpang]

@danjde
I tried the steps on my own servers, it worked as expected. all my letsencrypt certs are renewed to zerossl certs.

-----BEGIN CERTIFICATE-----
MIIGZjCCBE6gAwIBAgIRALY7Nxtq8PusPpacFQ4/LcQwDQYJKoZIhvcNAQEMBQAw
SzELMAkGA1UEBhMCQVQxEDAOBgNVBAoTB1plcm9TU0wxKjAoBgNVBAMTIVplcm9T
U0wgUlNBIERvbWFpbiBTZWN1cmUgU2l0ZSBDQTAeFw0yMTExMDMwMDAwMDBaFw0y
MjAyMDEyMzU5NTlaMBcxFTATBgNVBAMTDG5laWxwYW5nLmNvbTCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBAPTRKDSCrFzfDX03O5gx+gYD7dfY3OB6Hp9z
tTXYb3Jphsrc38ICtDz51gXPYm5xFMNO4WBBnc2TVH+b1d6cIvNidqPVsBFct+No
GRtbYSmVDylGTexINc5sW93ml9L+HGy6dblD57pWhPHy3TsyMiPmHvSNEVt9Fc1+
0bytiqPS595QMKr1q4bWtKQASG1f+jn7XfBijPWA3PvMqJ6DnpZs/wPYliqsd6XF
22SK3PYzBhfixIr2/uxGEbBaWjvTDx2YkdVddz0ectKJlEAzC/XVn+IdW3orQjna
ee0olZE9DzOambkuCOB7wEvc9p6t15NxJmxeD2yaaCbG87mrHtkCAwEAAaOCAncw
ggJzMB8GA1UdIwQYMBaAFMjZeGii2Rlo1T1y3l8KPty1hoamMB0GA1UdDgQWBBRW
QtJkc/W8xIvMpcTKBsbZXJyg3DAOBgNVHQ8BAf8EBAMCBaAwDAYDVR0TAQH/BAIw
ADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwSQYDVR0gBEIwQDA0Bgsr
BgEEAbIxAQICTjAlMCMGCCsGAQUFBwIBFhdodHRwczovL3NlY3RpZ28uY29tL0NQ
UzAIBgZngQwBAgEwgYgGCCsGAQUFBwEBBHwwejBLBggrBgEFBQcwAoY/aHR0cDov
L3plcm9zc2wuY3J0LnNlY3RpZ28uY29tL1plcm9TU0xSU0FEb21haW5TZWN1cmVT
aXRlQ0EuY3J0MCsGCCsGAQUFBzABhh9odHRwOi8vemVyb3NzbC5vY3NwLnNlY3Rp
Z28uY29tMIIBAwYKKwYBBAHWeQIEAgSB9ASB8QDvAHYARqVV63X6kSAwtaKJafTz
fREsQXS+/Um4havy/HD+bUcAAAF85e5vLQAABAMARzBFAiB3/GURnl+nB5SGV1YI
phWBfwbt+SrSdUffa2qqwX+spQIhALZNUmSxlj9ReTBc/weqiasUkq1Ngh7fXUdj
7mvUnWkzAHUAQcjKsd8iRkoQxqE6CUKHXk4xixsD6+tLx2jwkGKWBvYAAAF85e5u
9wAABAMARjBEAiAXqlHltfRhYFUwP5Ag9jsmxJa8vKguCDJlt4Dy4THqxwIgJSQG
wzDKChlQXNUNux2O8Dr/QPYM8xjm6dZ9/OBTymowFwYDVR0RBBAwDoIMbmVpbHBh
bmcuY29tMA0GCSqGSIb3DQEBDAUAA4ICAQBOOppfnF7IDnLU0vKpjAvj5OQX7xbi
n9gb3WVOw7/POmfcRBY8h6Rn9BaNDOfMG3NqOqUteLp+UvN0+E9kMpVVQCAA/GUH
nfdNRFaVktPJz3x8WykV14l4P1LuEJiC7D2vpj7AN63jzLUSBXUJhMocFLcVmhbt
hUyQ0i7RTg1yTXH/lxw5s4U+iybNOs6Z+tAEV66x3ixj8zEFk1gfz8VGhZiQRqKW
vsaDetx8cSBMO01O0O1jex9QdGQXgqDT22FhQFZHSLTJBPDqBHeP8lY0q85N9RtS
uU9/5VBz9EreYLJ3GaM35yWOTvrGYMeI9EzISo7hmgswtjaaRoeB0x4lIwi4/Yvk
DF54cz7iiD1p4/HufEJ8/ll6Sx9HKWuv5aulQoKhma/1hX0iIHbxBX7PZg0Yhb5w
IEF5VXTGpxMP6lUgo98A5HLHp+N82dY86v/2NLs2ZXxFFNsvUZ51g7xwv5WAV1C0
NFgSM5f/HaO6oLNwx6n4oaVGYzoTPcJa3xNFV17bfocFH4HHGNt7etnmOrQgv9sn
WJRWjJmSAdbJttSGHAlmHHG3xv+Ky3qc/DFbmJT1gjVhU1p/47PCgUE5HNmBWstV
rZ3pA6lZg+pduNZorwKBeJ7qAHRszJU3g3/TkWaDwK6FuFTbdCQUYlZkgqVnPDq9
e1MdLriHWr77Lg==
-----END CERTIFICATE-----

[Neilpang]

BTW, I also have --preferred-chain specified, it doesn't matter at all.

[danjde]

Here I am,
obtained zerossl cert, using the following steps:

• acme.sh --register-account -m myemail@example.com --server zerossl
• acme.sh --issue -d server.mydomain.org -d mydomain.org -d www.mydomain.org -d lists.mydomain.org -d smtp.mydomain.org -d mail.mydomain.org --apache --force --server zerossl
• acme.sh --install-cert -d server.mydomain.org --cert-file /etc/mypath/live/server.mydomain.org/cert.pem --key-file /etc/mypath/live/server.mydomain.org/privkey.pem --fullchain-file /etc/mypath/live/server.mydomain.org/fullchain.pem --ca-file /etc/letsencrypt/live/server.3x1t.org/chain.pem --reloadcmd "/usr/local/bin/certbot-deploy-hook"

Thanks

[PeterTough2]

1.    use `--set-default-ca  --server zerossl`  to change the default ca
2.   use `--register-account -m my@example.com` to register account at zerossl
3.    remove the line of "Le_API='https://acme-v02.api.letsencrypt.org/directory'"   from all the domain conf at ~/.acme.sh/domain/domain.conf
4.  use `--renewall  --force`  to renew all the certs against zerossl.

Is it necessary that I have acme installed on my Ubuntu?

[danjde]

@PeterTough2 you must to have acme installed only on server side, only on the machine where the certificates will be physically installed.