Featured image of post Switching CA from Let's Encrypt to ZeroSSL in acme.sh
Experience Sharing

Switching CA from Let's Encrypt to ZeroSSL in acme.sh

acme.sh is a lightweight ACME protocol client used to obtain SSL/TLS certificates from certificate authorities (CAs) like Let's Encrypt and ZeroSSL.

acme.sh is a small yet powerful tool for managing SSL/TLS certificates. It supports multiple CAs (Certificate Authorities), but switching between them can be frustrating if you can’t find the right command. Don’t worry; this guide will walk you through the process step by step, complete with some humor to lighten the mood!

Step 1: Check Supported CAs

You can refer to the official Wiki page, which lists all supported CAs.

Here are the currently supported issuers:

Short Name ACME Server URL Usage
letsencrypt https://acme-v02.api.letsencrypt.org/directory Main Let’s Encrypt
letsencrypt_test https://acme-staging-v02.api.letsencrypt.org/directory Test Environment
buypass https://api.buypass.com/acme/directory BuyPass.com CA
buypass_test https://api.test4.buypass.no/acme/directory BuyPass.com Test
zerossl https://acme.zerossl.com/v2/DV90 ZeroSSL.com CA
sslcom https://acme.ssl.com/sslcom-dv-rsa or sslcom-dv-ecc SSL.com CA
google https://dv.acme-v02.api.pki.goog/directory Google Public CA
googletest https://dv.acme-v02.test-api.pki.goog/directory Google Test CA

There are plenty of options, but having too many can also be confusing—so which one should you choose? Don’t stress; using letsencrypt or zerossl is sufficient for most needs.

Step 2: Switch CAs

Once you’ve selected your target CA, use the following command to switch:

1

acme.sh --set-default-ca --server <Short_Name>

For example:

  • If you want to use Let’s Encrypt (the classic choice): 
    1

    acme.sh --set-default-ca --server letsencrypt
  • If you want to try ZeroSSL (for those who love experimentation): 
    1

    acme.sh --set-default-ca --server zerossl

Time to vent:

  1. Why isn’t there an interactive interface, like “Please select your CA”? That would be so much more user-friendly.
  2. ZeroSSL requires you to register for an API key, and this mandatory login experience always makes me wonder if free options come with hidden traps.

Step 3: Confirm the Change

After running the above command, it’s a good idea to double-check which default CA is in use to ensure everything is set up correctly:

1

acme.sh --show-config

If you see output like this:

1

DEFAULT_CA = letsencrypt

or:

1

DEFAULT_CA = zerossl

Congratulations, you’ve successfully switched!

This command merely informs you of “what the default CA is”; it could also add some reassuring message like, “Switch successful, welcome to your new CA!”

Step 4: Reissue Your Certificates

To ensure that the new CA is functioning correctly, you need to reissue your certificate:

1

acme.sh --renew -d yourdomain.com --force

Time to vent again:

  1. Why do I have to keep adding --force with every reissue? If I forget, the system will “pretend it didn’t hear,” wasting my time.
  2. Rate limits and API failures can be incredibly frustrating. For instance, Let’s Encrypt has a limit of 50 certificates per week, constantly reminding you, “Don’t waste free resources!”

Special Scenario: Different CAs for Different Domains

If you need to use a specific CA for certain domains, you can specify it directly during the issuance:

1

acme.sh --issue -d yourdomain.com --server letsencrypt

For users managing a lot of domains, configuring different CAs manually feels like “a laborer’s task.” Let’s hope for a batch management feature in the future.

Important Notes (Must-Read to Avoid Pitfalls)

  1. ZeroSSL API Key
    If you choose ZeroSSL, make sure to register an account and obtain your API key beforehand:

    1

    acme.sh --register-account --server zerossl --accountemail [email protected]

    It feels like obtaining free certificates has turned into a SaaS model; is this “improvement” really better?

  2. Compatibility Issues
    If your server is outdated (for example, systems that don’t have updated root certificates), it might not support the new CA’s root certificates, such as ZeroSSL. If you encounter SSL errors, this is likely the issue.

  3. Restart Services
    Don’t forget to reload your web service configuration to apply the new certificate:

    1
2
3
4
5

    # Restart Nginx
systemctl reload nginx

# Restart Apache
systemctl reload apache2

Conclusion

Although the process of switching CAs may seem straightforward, there are still little pitfalls that can be frustrating. However, by mastering the steps outlined above, you can complete the switch quickly and stop being at the mercy of confusing error messages.
Just one last reminder: don’t forget to conduct compatibility testing with the new certificates. It would be a surprise—if not a pleasant one—to discover problems only when your site goes live!