Last month, Let's Encrypt made some changes to their certificate chain in order to reduce traffic exchange during a TLS handshake and also their operating costs; the details are explained here [1].<p>As a result, any certificates issued (or renewed) after Feb 8th will not work on older Android devices (< 7.1.1), unless the ACME client has been configure to request an alternate certificate chain. The "alternate chain" workaround will also stop working on June 6th.<p>I need to support these older Android devices so I am looking for alternatives. I have seen ZeroSSL mentioned a few times; it is also the default CA for acme.sh (the ACME client I am using nowadays) [2]. They have a number of paid plans but ACME certificates are free [3].<p>I'll be testing this over the next few days, but I would also like to ask if people here have experience with ZeroSSL (good or bad :-). Any feedback would be helpful.<p>[1]: https://letsencrypt.org/2023/07/10/cross-sign-expiration.html<p>[2]: https://github.com/acmesh-official/acme.sh<p>[3]: https://zerossl.com/documentation/acme/
I got weired errors including delivery of old, expired, certificates on renewal and api errors.
I currently log into Google acme as alternative to LE to have a backup, the Android issue does not apply to my environment.
Ha, thank you so much. I was puzzled why an old junk Android I have, rejected the cert on GitHub Pages. I had factory reset it and wondered if an OTA might fix it. Now I won't wait, I need to install the CA.
There was a point where acme.sh [1] changed their default from LetsEncrypt to ZeroSSL and that bit my automation because I only use wildcard certificates. ZeroSSL does not offer <i>free</i> wildcard certs [2] whereas LetsEncrypt does.<p>[1] - <a href="https://github.com/acmesh-official/acme.sh">https://github.com/acmesh-official/acme.sh</a><p>[2] - <a href="https://zerossl.com/pricing/" rel="nofollow">https://zerossl.com/pricing/</a>