Fallback for Let’s Encrypt – Free Automatic CAs

For many Let’s Encrypt became an integral part of web development, and automatic certificate renewal every 90 days is a routine procedure. In fact, it is now the most popular certification authority on the Internet. It’s great, but also dangerous.

This begs the question: What if Let’s Encrypt’s servers temporarily stop working? I don’t want to think about the possible reasons for the failure. But it is advisable to provide a fallback. That is, the same convenient automated free certification center.

Fortunately, there are fallbacks. At least two. The same free automated CAs modeled on Let’s Encrypt.

ACME protocol

All communications with Let’s Encrypt take place using the ACME (Automated Certificate Management Environment) protocol. It is an open protocol for automating interaction with CAs. There is nothing specific to Let’s Encrypt, it is supported by several other CAs.

Now is the moment when more and more CAs are starting to work through ACME. This means that almost all of our tools, scripts and processes for obtaining certificates from Let’s Encrypt will work great and with other centers that support ACME.

To rebuild to another CA, you just need to change the API address in the configured scripts from https://acme-v02.api.letsencrypt.org/directory (Let’s Encrypt) on https://api.buypass.com/acme/directory (BuyPass, see below about it) or some other.


We need a CA that meets two criteria:

  1. supports ACME;
  2. issues free certificates.

These criteria are met by the Norwegian CA named BuyPass

The free service is called BuyPass Go SSL: This is automatic issuance and renewal of certificates + ACME support. What you need.

Technical documentation explains how to configure obtaining and renewing a certificate using Certbot – an official client from the Electronic Frontier Foundation to work with Let’s Encrypt or any other CA that supports the ACME protocol.

Registration at the CA and obtaining a certificate in BuyPass is elementary, as in the case of Let’s Encrypt, there is no difference here.

Registration with your email address for notifications (‘YOUR_EMAIL’) and agreement to the terms of use (–agree-tos):

root@acme:~# certbot register -m 'YOUR_EMAIL' --agree-tos --server 'https://api.buypass.com/acme/directory'

Obtaining a certificate:

root@acme:~# certbot certonly --webroot -w /var/www/example.com/public_html/ -d example.com -d www.example.com --server 'https://api.buypass.com/acme/directory'

Subsequently, other Certbot commands are used to revoke the certificate (revoke), renewal of expired certificates (renew) and removing the certificate (delete).

It is recommended to put the renewal command in cron and run it automatically to check expired certificates just in case. For example, like this:

#Cron-job scheduled under root to run every 12th hour at a specified minute (eg. 23, change this to your preference)
23 */12 * * * /opt/certbot/certbot-auto renew -n -q >> /var/log/certbot-auto-renewal.log

BuyPass has some limits on ACME. The main limit is the number of certificates for a registered domain (20 per week). This refers to the part of the domain that is purchased from a domain name registrar. That is, this is the limit for all subdomains in total. Another limit is 5 duplicates per week. This is the limit of certificates for each specific subdomain. There are limits on validation errors – 5 per account, per host and per hour.

Endpoint request limit new-reg, new-authz and new-cert: 20 per second. Limit of requests to /directory: 40 per second.

The maximum number of authorizations in the process (Pending Authorizations): 300 pieces.

Another client can be used instead of Certbot acme.sh, which is also initially configured for Let’s Encrypt, but easily routes to another CA with ACME support.

./acme.sh --issue --dns dns_cf -d example.com --server "https://api.buypass.com/acme/directory"


Another CA that issues free 90-day certificates via ACME protocol is Austrian ZeroSSL

The aforementioned acme.sh program has ZeroSSL support, so it is very easy to register:

acme.sh --register-account -m foo@bar.com --server zerossl

Next, one command to generate a certificate:

acme.sh --issue --dns dns_cf -d example.com --server zerossl

There are no limits on API calls. There are others advantages: This CA gives free certificates not only for 90 days, but also for 1 year, there is a web dashboard and technical support.

By the way, ZeroSSL generates certificates even through the web interface, step by step with domain verification by email. But, of course, this method is not suitable for automation.

Other ACME servers

Here list all known ACME servers. There are still few of them, but the number is growing.

Let’s Encrypt is an outstanding organization doing a great job. But it’s dangerous to put all your eggs in one basket. The more the CA works under the ACME protocol and distributes free certificates in automatic mode, the more diverse and reliable the ecosystem as a whole.

Let’s Encrypt may experience downtime, or it may temporarily suspend its activity – and then Buypass and ZeroSSL will come to hedge. Having these fallbacks ultimately increases the credibility of Let’s Encrypt itself, because it’s no longer a single point of failure. And changing the CA for ACME is a matter of a few seconds.

Special offer of the GlobalSign certification center

Similar Posts

Leave a Reply