Add ZeroSSL as an alternative to Let's Encrypt
https://zerossl.com now offers 90 days ssl certificates that work with ACME.
It would be nice to be able to choose it as a ssl certificates provider in Plesk.
Probably not too complicated since it relies on same technologies.
Could you please clarify the possible benefits of this feature request? How is it better than already existing in Pledsk LetsEncrypt?
Johann du Preez commented
It would be good as an alternative to Let's Encrypt... imagine if Plesk only allowed you to publish WordPress sites...
...and Alfonso Martínez de Lizarrondo makes a good point... not using Let's Encrypt anymore because of exactly that issue...
When updating wildcard certificates for domains with DNS hosted elsewhere, using ZeroSSL means that I only have to edit DNS once every 90 days.
Alfonso Martínez de Lizarrondo commented
The new default chain for Let's encrypt in windows seems to leave out Android devices < 7.1, and it doesn't seem that it's easy to configure windows/IIS to serve the alternate chain, so if there's an option to use an alternate ACME certificate provider that doesn't have such problems at the moment it would be huge.
Many thanks BALLOON | FU-SEN for the prompt response.
Frankly, I was unaware of this option by letsencrypt, and when looking into Plesk, I don't see an option to have Plesk use that validation.
It seems on the contrary that Plesk only choses to have domain validation (shown as acronym "DV" with a padlock next to it on website & domains > domainname.com > SSL/TLS Certificates > SSL/TLS Certificate for domainname.com)
Is there a way that I could ask Plesk to automate this validation (on certificate issuance and further renewals)?
FYI, I run PLesk version Obsidian 18.0.37
Hmm? Let's encrypt also supports http authentication:
DNS record authentication is required for wildcard certificates, which is also common to ZeroSSL.
The unique benefit of ZeroSSL in this regard is email authentication:
One benefit is on domain verification for certificate issuance.
Letsencrypt requires a DNS acme record.
This can be problematic when Plesk doesn’t manage the domain (for example when the domain is managed at anothe registrar such as google domains).
Zero ssl propose to verify domain with a file on the web server (which Plesk could automate)
So for all users who have their registrar managed outside Plesk, then Zero ssl alternative would prove useful
I have seen this issue encountered on some hosting and web services, regardless of Plesk.
The problem is that the service provides users with a subdomain of the registered domain.
Specifically, the service registers `example.com` and provides the user with `user.example.com`.
Obviously, if this is a server that is popular to some extent, issuing Let's Encrypt will experience rate limiting.
The service source must apply to Let's Encrypt using the form or register it on the Public Suffix List.
This problem is very serious for services that serve subdomains to many users
Again, ZeroSSL doesn't have that limitation.
It is beginning to be recognized as a workaround for this issue with Let's Encrypt.
The benefits of Plesk adopting ZeroSSL should be great.
Alexander Yamshanov commented
Hi 🎈 BALLOON | FU-SEN!
Have you already break a limit or near any of the Let's Encrypt limits? Could you please provide a little bit more details about your infrastructure, how many sites/requests, and what exactly limit is reached?
What is the case where do you need to issue 50 certificates per week per domain?
There is a rate limit for Let’s Encrypt. It can be a big problem for some services such as hosting:
ZeroSSL has no such restrictions.
Let's Encrypt will break compatibility with old Android devices and some systems in september 29, 2021 : https://letsencrypt.org/2019/04/15/transitioning-to-isrg-root.html
Having an alternative would allow users to continue to have free certificates with wider support.
This is a real issue for many editors !