How To Switch From Letsencrypt to ZeroSSL Free SSL Certificates On Centmin Mod

Centmin Mod uses Neil Pang’s acme.sh client as the underlying tool to issue and obtain free Letsencrypt certificates for Nginx HTTPS auto created sites. The acme.sh client has added support for other free ACME protocol compatible CA SSL providers like Buypass (BuyPass Go SSL) and ZeroSSL. This guide shows how you can switch over from Letsencrypt to using ZeroSSL SSL certificates which uses Sectigo (Comodo) certificates and supports free wildcard SSL certificates and doesn’t have any rate limiting for SSL certificate issuance.

This guide was born from the recent Letsencrypt DST Root CA X3 root certificate expiration on September 30, 2021 as a way of regaining older device compatibility with your Centmin Mod Nginx HTTPS web sites which used Letsencrypt SSL certificates.

ZeroSSL vs Letsencrypt

ZeroSSL website lists a side by side comparison with Letsencrypt. The main differences is that ZeroSSL has no rate limits for SSL certificate issuance and has a GUI based management console for issued SSL certificates.

ZeroSSLLet’s Encrypt
Unlimited CertificatesUnlimited Certificates
Free of ChargeFree of Charge
No Rate LimitRate Limits
90-Day Certificates90-Day Certificates
Multi-Domain CertificatesMulti-Domain Certificates
Wildcard CertificatesWildcard Certificates
Manage Certificates in UIN/A

ZeroSSL Older Device Compatibility

ZeroSSL will in theory allow somewhat older devices to still work with ZeroSSL SSL certificates as they have three CA root certificates that are likely to be in devices’ trust stores – the first two listed are in most modern browsers /devices while the third is the key for older device compatibility – the cross-signed AAA Certificate Services root certificate to support older devices:

  1. USERTrust RSA Certification Authority & USERTrust ECC Certification Authority root
  2. COMODO RSA Certification Authority & COMODO ECC Certification Authority root
  3. AAA Certificate Services root (cross-signed to support older devices)

SSLLabs shows there are two possible certificate chain paths for an issued ZeroSSL SSL certificate – one to modern USERTrust RSA CA root and the second path to cross-signed AAA Certificate Services CA root.

ZeroSSL SSL Certificate chains ZeroSSL SSL Certificate chains

The USERTrust RSA/ECC and COMODO RSA/ECC CA roots were added to the following devices since:

Apple:

  • macOS Sierra 10.12.1 Public Beta 2
  • iOS 10

Microsoft:

  • Windows XP (via Automatic Root Update; note that ECC wasn’t supported by Windows until Vista)
  • Windows Phone 7

Mozilla:

  • Firefox 3.0.4 (COMODO ECC Certification Authority)
  • Firefox 36 (the other 3 roots)

Google:

  • Android 2.3 (COMODO ECC Certification Authority)
  • Android 5.1 (the other 3 roots)

Oracle:

  • Java JRE 8u51

Opera:

  • [Browser release on December 2012]

360 Browser:

  • SE 10.1.1550.0 and Extreme browser 11.0.2031.0

And the cross-signed AAA Certificate Services root provides compatibility to older devices:

  • Apple iOS 3.
  • Apple macOS 10.4.
  • Google Android 2.3.
  • Mozilla Firefox 1.
  • Oracle Java JRE 1.5.0_08.

Steps To Switching To ZeroSSL SSL Certificates

ZeroSSL optionally requires you to register an account with at ZeroSSL.com first to obtain the EAB credentials via https://app.zerossl.com/developer that you need to register so that acme.sh client and thus acmetool.sh addon for Centmin Mod’s automated Nginx HTTPS site creation to issue free ZeroSSL SSL certificates instead of Letsencrypt SSL certificates. Or you can just pass your email address on command line to register with ZeroSSL and automatically obtain and register your EAB credentials which end up being saved to the configuration file at /root/.acme.sh/ca/acme.zerossl.com/ca.conf or in newer acme.sh clients at /root/.acme.sh/ca/acme.zerossl.com/v2/DV90/ca.conf.

ls -lah /root/.acme.sh/ca/
total 0
drwxr-xr-x 4 root root  66 Sep 26 00:39 .
drwx------ 9 root root 233 Sep 30 23:43 ..
drwxr-xr-x 3 root root  23 Sep 26 00:06 acme-v02.api.letsencrypt.org
drwxr-xr-x 3 root root  16 Sep 26 00:39 acme.zerossl.com

Steps to switch Centmin Mod 123.09beta01 from using free Letsencrypt SSL certificates to using free ZeroSSL SSL certificates:

Step 1. Register an account at ZeroSSL.com and go to https://app.zerossl.com/developer to obtain the EAB credentials. This signup is actually optional as you can instead just provide your email address on the command line then you can actually skip Step 2:

acme.sh --register-account -m myemail@example.com --server zerossl

Step 2. SSH login to your Centmin Mod server and register your EAB credentials with acme.sh client via the command line:

acme.sh --register-account --server zerossl --eab-kid xxxxxxxxxxxx --eab-hmac-key xxxxxxxxx

Without the EAB credentials, you may get a message like:

no eab credentials found for zerossl, let’s get one

Step 3. Configure Centmin Mod acmetool.sh addon to use ZeroSSL instead of Letsencrypt as default CA SSL certificate provider via the persistent configuration file /etc/centminmod/custom_config.inc variable you add:

ACME_DEFAULT_CA='zerossl'

Update Oct 4, 2021: slight typo correction, the variable above was missing a closing single quote. Make sure it’s ACME_DEFAULT_CA=’zerossl’

If you want to switch back from ZeroSSL to Letsencrypt defaults you can remove that variable from the persistent configuration file /etc/centminmod/custom_config.inc or you can specifically set it to the already default value

ACME_DEFAULT_CA='letsencrypt'

The acmetool.sh addon will pickup whichever setting value you have for the variable set in the persistent configuration file /etc/centminmod/custom_config.inc which will override the default settings.

Step 4. Reissuing existing Nginx site’s SSL certificates using ZeroSSL instead of Letsencrypt as CA provider.

Once you have switched to ZeroSSL defaults from above step 1-3, you will need to reissue your SSL certificates for existing Centmin Mod Nginx sites on your server. You do this via acmetool.sh addon wrapper script’s reissue-only option specifying your existing already created Centmin Mod Nginx site’s domain name (without the www) or subdomain name. Replace yourdomain.com with your Centmin Mod Nginx site’s domain name or subdomain name. The reissue-only option will only touch your existing Centmin Mod Nginx site’s SSL certificate configuration leaving the rest of your Nginx HTTPS vhost configuration intact.

/usr/local/src/centminmod/addons/acmetool.sh reissue-only yourdomain.com live

You can then run acmetool.sh checkdates option to list all SSL certificates issued and configured at Nginx level for the current Centmin Mod server. Example below:

/usr/local/src/centminmod/addons/acmetool.sh checkdates

output

/usr/local/src/centminmod/addons/acmetool.sh checkdates
----------------------------------------------
nginx installed
----------------------------------------------

/usr/local/nginx/conf/ssl/zerossl.domain.com/zerossl.domain.com-acme.cer
SHA1 Fingerprint=06FE84519E09ACB75BBE11EDF26F7D41D0Bxxxxx
certificate expires in 83 days on 25 Dec 2021

/usr/local/nginx/conf/ssl/letsencrypt.domain.com/letsencrypt.domain.com-acme.cer
SHA1 Fingerprint=423A55D99E8BEEBBC4C42C82E2C8683684Cxxxxx
certificate expires in 87 days on 29 Dec 2021

----------------------------------------------
acme.sh obtained
----------------------------------------------

/root/.acme.sh/zerossl.domain.com/zerossl.domain.com.cer
SHA1 Fingerprint=06FE84519E09ACB75BBE11EDF26F7D41D0Bxxxxx
[ below certifcate transparency link is only valid ~1hr after issuance ]
https://crt.sh/?sha1=06FE84519E09ACB75BBE11EDF26F7D41D0Bxxxxx
certificate expires in 83 days on 25 Dec 2021

/root/.acme.sh/letsencrypt.domain.com/letsencrypt.domain.com.cer
SHA1 Fingerprint=423A55D99E8BEEBBC4C42C82E2C8683684Cxxxxx
[ below certifcate transparency link is only valid ~1hr after issuance ]
https://crt.sh/?sha1=423A55D99E8BEEBBC4C42C82E2C8683684Cxxxxx
certificate expires in 87 days on 29 Dec 2021

Notes:

  • If you use Cloudflare or any other CDN proxy in front of your Centmin Mod Nginx HTTPS site, then you may not see Letsencrypt or ZeroSSL SSL certificates being served to you as you will see Cloudflare or that CDN proxy’s SSL certificates instead.
  • If Centmin Mod users have further questions or comments, they can post them on the official Centmin Mod community forums

Further Reading Links: