Currently, we have no plan to integrate it. But feel free to make a feature request in our issue tracker at git.ispconfig.org.
Actually, I think it is possible to just set acme.sh to use ZeroSSL. But this is not officially supported.
Actually acme tried to use Zerossl after update which caused me some issues on a couple of domains which are solved after selecting on all webservers to use let's encrypt as default.
Which ISPConfig version do you use? If I remember correctly, we choose LE as SSL cert provider by default in the latest versions for acme.sh.
When ISPConfig is installed or updated, we set acme.sh to use le with command options: --set-default-ca --server letsencrypt so it should be using le by default.
Could this recently have changed? I noticed in my logs that zerossl was being used (which is not allowed to pass the proxy): Code: Tue Apr 15 07:31:01 PM CEST 2025 15.04.2025-19:31 - DEBUG [letsencrypt.inc:436] - Create Let's Encrypt SSL Cert for: subdomain.domain.tld Tue Apr 15 07:31:01 PM CEST 2025 15.04.2025-19:31 - DEBUG [letsencrypt.inc:437] - Let's Encrypt SSL Cert domains: Tue Apr 15 07:31:01 PM CEST 2025 15.04.2025-19:31 - DEBUG [system.inc:1826] - exec: R=0 ; C=0 ; /root/.acme.sh/acme.sh --issue -d subdomain.domain.tld -d www.subdomain.domain.tld -w /usr/local/ispconfig/interface/acme --always-force-new-domain-key -- keylength 4096; R=$? ; if [ $R -eq 0 -o $R -eq 2 ] ; then /root/.acme.sh/acme.sh --install-cert -d subdomain.domain.tld -d www.subdomain.domain.tld --key-file '/var/www/clients/client0/web2/ssl/subdomain.domain.tld-le.key' --fullchain-file '/var/www/client s/client0/web2/ssl/subdomain.domain.tld-le.crt' --reloadcmd 'systemctl force-reload nginx.service' --log '/var/log/ispconfig/acme.log'; C=$? ; fi ; if [ $C -eq 0 ] ; then exit $R ; else exit $C ; fi Tue Apr 15 07:31:01 PM CEST 2025 [Tue Apr 15 07:31:01 PM CEST 2025] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 56 Tue Apr 15 07:31:11 PM CEST 2025 [Tue Apr 15 07:31:11 PM CEST 2025] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 56 Tue Apr 15 07:31:22 PM CEST 2025 [Tue Apr 15 07:31:22 PM CEST 2025] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 56 Tue Apr 15 07:31:32 PM CEST 2025 [Tue Apr 15 07:31:32 PM CEST 2025] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 56 Tue Apr 15 07:31:42 PM CEST 2025 [Tue Apr 15 07:31:42 PM CEST 2025] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 56 Tue Apr 15 07:31:52 PM CEST 2025 [Tue Apr 15 07:31:52 PM CEST 2025] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 56 Tue Apr 15 07:32:01 PM CEST 2025 15.04.2025-17:32 - WARNING - There is already an instance of server.php running with pid 290857. Tue Apr 15 07:32:02 PM CEST 2025 [Tue Apr 15 07:32:02 PM CEST 2025] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 56 Tue Apr 15 07:32:12 PM CEST 2025 [Tue Apr 15 07:32:12 PM CEST 2025] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 56 Tue Apr 15 07:32:22 PM CEST 2025 [Tue Apr 15 07:32:22 PM CEST 2025] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 56 Tue Apr 15 07:32:32 PM CEST 2025 [Tue Apr 15 07:32:32 PM CEST 2025] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 56 Tue Apr 15 07:32:42 PM CEST 2025 [Tue Apr 15 07:32:42 PM CEST 2025] Cannot init API for https://acme.zerossl.com/v2/DV90 Tue Apr 15 07:32:42 PM CEST 2025 15.04.2025-19:32 - WARNING - Let's Encrypt SSL Cert for: subdomain.domain.tld could not be issued. Tue Apr 15 07:32:42 PM CEST 2025 15.04.2025-19:32 - WARNING - R=0 ; C=0 ; /root/.acme.sh/acme.sh --issue -d subdomain.domain.tld -d www.subdomain.domain.tld -w /usr/local/ispconfig/interface/acme --always-force-new-domain-key --keylength 4096; R=$? ; if [ $R -eq 0 -o $R -eq 2 ] ; then /root/.acme.sh/acme.sh --install-cert -d subdomain.domain.tld -d www.subdomain.domain.tld --key-file '/var/www/clients/client0/web2/ssl/subdomain.domain.tld-le.key' --fullchain-file '/var/www/clients/client0/web2/ssl/subdomain.domain.tld-le.crt' --reloadcmd 'systemctl force-reload nginx.service' --log '/var/log/ispconfig/acme.log'; C=$? ; fi ; if [ $C -eq 0 ] ; then exit $R ; else exit $C ; fi Tue Apr 15 07:32:42 PM CEST 2025 15.04.2025-19:32 - DEBUG [nginx plugin.inc:1398] - SSL Disabled. subdomain.domain.tld I first checked the acme.sh script that ISPConfig downloaded to /root/.acme.sh/acme.sh and found that zerossl is indeed listed as the default option: Code: --server <server_uri> ACME Directory Resource URI. (default: https://acme.zerossl.com/v2/DV90) I checked server/lib/classes/letsencrypt.inc.php and saw no --server flag here: PHP: $cmd = 'R=0 ; C=0 ; ' . $letsencrypt . ' --issue ' . $cmd . ' -w /usr/local/ispconfig/interface/acme --always-force-new-domain-key --keylength 4096; R=$? ; if [ $R -eq 0 -o $R -eq 2 ] ; then ' . $letsencrypt . ' --install-cert ' . $cmd . ' --key-file ' . escapeshellarg($key_file) . ' ' . $cert_arg . ' --reloadcmd ' . escapeshellarg($this->get_reload_command()) . ' --log ' . escapeshellarg($conf['ispconfig_log_dir'].'/acme.log') . '; C=$? ; fi ; if [ $C -eq 0 ] ; then exit $R ; else exit $C ; fi'; return $cmd; Checked on https://git.ispconfig.org/ispconfig...lib/classes/letsencrypt.inc.php?ref_type=tags too. After adding the --server flag to the get_acme_cmd() method, I can confirm it is working as expected: Code: Tue Apr 15 07:44:01 PM CEST 2025 15.04.2025-19:44 - DEBUG [letsencrypt.inc:436] - Create Let's Encrypt SSL Cert for: subdomain.domain.tld Tue Apr 15 07:44:01 PM CEST 2025 15.04.2025-19:44 - DEBUG [letsencrypt.inc:437] - Let's Encrypt SSL Cert domains: Tue Apr 15 07:44:01 PM CEST 2025 15.04.2025-19:44 - DEBUG [system.inc:1826] - exec: R=0 ; C=0 ; /root/.acme.sh/acme.sh --server letsencrypt --issue -d subdomain.domain.tld -d www.subdomain.domain.tld -w /usr/local/ispconfig/interface/acme --always-force-new-domain-key --keylength 4096; R=$? ; if [ $R -eq 0 -o $R -eq 2 ] ; then /root/.acme.sh/acme.sh --install-cert -d subdomain.domain.tld -d www.subdomain.domain.tld --key-file '/var/www/clients/client0/web2/ssl/subdomain.domain.tld-le.key' --fullchain-file '/var/www/clients/client0/web2/ssl/subdomain.domain.tld-le.crt' --reloadcmd 'systemctl force-reload nginx.service' --log '/var/log/ispconfig/acme.log'; C=$? ; fi ; if [ $C -eq 0 ] ; then exit $R ; else exit $C ; fi Tue Apr 15 07:44:40 PM CEST 2025 15.04.2025-19:44 - DEBUG [nginx plugin.inc:1395] - Enable SSL for: subdomain.domain.tld Tue Apr 15 07:44:40 PM CEST 2025 15.04.2025-19:44 - DEBUG [system.inc:2436] - safe_exec cmd: nginx -V 2>&1 | grep 'built with OpenSSL' | sed 's/.*built([a-zA-Z ]*)OpenSSL ([0-9.]*).*/2/' - return code: 0 Tue Apr 15 07:44:40 PM CEST 2025 15.04.2025-19:44 - DEBUG [system.inc:2436] - safe_exec cmd: nginx -V 2>&1 | grep 'running with OpenSSL' | sed 's/.*running([a-zA-Z ]*)OpenSSL ([0-9.]*).*/2/' - return code: 0 Tue Apr 15 07:44:40 PM CEST 2025 15.04.2025-19:44 - DEBUG [system.inc:2436] - safe_exec cmd: which 'nginx' 2> /dev/null - return code: 0 Tue Apr 15 07:44:40 PM CEST 2025 15.04.2025-19:44 - DEBUG [nginx plugin.inc:1623] - Enable TLS 1.3 for: subdomain.domain.tld
No. This is fine, as no server flag is needed. It seems that the default CA was changed on your system, all you have to do is set the right default CA again. Code: acme.sh --set-default-ca --server letsencrypt
Oh, alright, thanks… seems to have done the trick. I had falsely understood those two flags would be passed with each call. When would that command usually be run? acme.sh got installed just earlier automatically when I tried to generate my first certificate on this machine. However the first attempt failed due to the webproxy. Maybe that caused the default not being set at install time? I then requested the URL to be allowlisted, acme.sh got installed automatically and successfully, but apparently the default didn't get set then. After running the command, I can see it's been set as `DEFAULT_ACME_SERVER` inside `/root/.acme.sh/account.conf`. Code: [Tue Apr 15 07:44:40 PM CEST 2025] Let's find the script directory. [Tue Apr 15 07:44:40 PM CEST 2025] _SCRIPT_='/root/.acme.sh/acme.sh' [Tue Apr 15 07:44:40 PM CEST 2025] _script='/root/.acme.sh/acme.sh' [Tue Apr 15 07:44:40 PM CEST 2025] _script_home='/root/.acme.sh' [Tue Apr 15 07:44:40 PM CEST 2025] Using default home: /root/.acme.sh [Tue Apr 15 07:44:40 PM CEST 2025] Using config home: /root/.acme.sh [Tue Apr 15 07:44:40 PM CEST 2025] LE_WORKING_DIR='/root/.acme.sh' [Tue Apr 15 07:44:40 PM CEST 2025] Running cmd: installcert [Tue Apr 15 07:44:40 PM CEST 2025] Using config home: /root/.acme.sh [Tue Apr 15 07:44:40 PM CEST 2025] default_acme_server [Tue Apr 15 07:44:40 PM CEST 2025] ACME_DIRECTORY='https://acme.zerossl.com/v2/DV90' [Tue Apr 15 07:44:40 PM CEST 2025] _ACME_SERVER_HOST='acme.zerossl.com' [Tue Apr 15 07:44:40 PM CEST 2025] _ACME_SERVER_PATH='v2/DV90' [Tue Apr 15 07:44:40 PM CEST 2025] DOMAIN_PATH='/root/.acme.sh/subdomain.domain.tld' [Tue Apr 15 07:44:40 PM CEST 2025] Installing key to: /var/www/clients/client0/web2/ssl/subdomain.domain.tld-le.key [Tue Apr 15 07:44:40 PM CEST 2025] Installing full chain to: /var/www/clients/client0/web2/ssl/subdomain.domain.tld-le.crt [Tue Apr 15 07:44:40 PM CEST 2025] Running reload cmd: systemctl force-reload nginx.service [Tue Apr 15 07:44:40 PM CEST 2025] Reload successful [Tue Apr 15 08:23:31 PM CEST 2025] LE_WORKING_DIR='/root/.acme.sh' [Tue Apr 15 08:23:31 PM CEST 2025] Running cmd: setdefaultca [Tue Apr 15 08:23:31 PM CEST 2025] Changed default CA to: ESC[1;32mhttps://acme-v02.api.letsencrypt.org/directoryESC[0m [Tue Apr 15 08:27:33 PM CEST 2025] default_acme_server='https://acme-v02.api.letsencrypt.org/directory' [Tue Apr 15 08:27:33 PM CEST 2025] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory' [Tue Apr 15 08:27:33 PM CEST 2025] _ACME_SERVER_HOST='acme-v02.api.letsencrypt.org' [Tue Apr 15 08:27:33 PM CEST 2025] _ACME_SERVER_PATH='directory'
It is run by the ISPConfig installer and it needs to be run only once when your system gets installed. probably you ran some other software or followed a tutorial which might have altered the default for acme.sh.
Well, I did use the auto-installer this time But the web-proxy would also have interfered then… only apparently not interrupted the installation (unlike the failing phpmyadmin installation that I'd gladly PR on git.ispconfig.org ) I tried finding anything in the install.log, but it seems truncated and in what remains, I can't spot anything relevant. But, I did another installation locally for development on Sunday, and I can confirm that here, acme.sh is installed and the DEFAULT_CA_SERVER is set correctly. Unfortunately, I also didn't have DEBUG logging enabled at the time I tried to generate the first certificate, so I don't have much more than this: Code: Tue Apr 15 11:41:04 AM CEST 2025 --2025-04-15 11:41:04-- https://get.acme.sh/ Tue Apr 15 11:41:04 AM CEST 2025 Resolving proxy.lc1.domain.com (proxy.lc1.domain.com)... 2a02:6f00:c2::108, xx.yy.121.108 Tue Apr 15 11:41:04 AM CEST 2025 Connecting to proxy.lc1.domain.com (proxy.lc1.domain.com)|2a02:6f00:c2::108|:3128... connected. Tue Apr 15 11:41:04 AM CEST 2025 Proxy tunneling failed: ForbiddenUnable to establish SSL connection. Tue Apr 15 11:41:04 AM CEST 2025 15.04.2025-11:41 - WARNING - Unable to install acme.sh. Cannot proceed, no Let's Encrypt client found. Anyway, no worries, now that I know this, if I ever run into a similar issue again, I'll know how to fix it! P.S. Looks like the install_acme() method inside the letsencrypt class, which was responsible for installing the acme.sh client in my case, is not setting a default CA as part of the process.
