True, that's one reason, but I've been planning this feature for years and would have implemented it either way. As explained in the linked pull request:
- Let's Encrypt is a busy non-profit organization. We can help maximize their budget by not using it as the exclusive default for every server.
- ZeroSSL does not have rate limits and is also publicly trusted. And yes, it is free to use it with ACME.
- ZeroSSL offers a graphical dashboard where you can log in and see and download your certificates.
- Having more than just 1 free ACME CA is a very, very good thing for the PKI ecosystem.
This is the beauty of standardization; if you give a server a URL, you can give it two and three and four, and not have to worry about global reliance on a single source.
There's also a lot of opportunity for CAs to get better IMO, so competition is useful. I'd hate to see a commercial company displace LE, but there are so many value adds that can be sold once you're the CA of choice that it seems inevitable that a commercial CA with a LE style free tier is going to have a lot of opportunity.
IMO the biggest, easiest feature no CA has implemented is CTLog monitoring / reconciliation. The problem I have with LE even on a small scale is that I'm grabbing certificates for ~20 (sub)domains. I also have several of them set up via Cloudflare. With CTLog monitoring notifications (via Cloudflare and Facebook), I get too many notifications. I don't know what's coming or going or which machines are requesting certificates for which (sub)domains.
A service like ZeroSSL is already acting like a central point of certificate management (for me), so it's the ideal location to do CTLog monitoring since the bulk of certificate issuances happen there. That means legitimate CTLog entries can be reconciled and ignored silently (they'll already show up in the dashboard).
I'm not sure how user accounts work in ACME, but the other thing I'd like is to be able to track which user or machine requested a certificate.
I'm sure something like that could also be built as a proxy. I thought about trying once, but it's firmly in my "things I'll never get to" idea box. Lol.
Another problem I've had with LE that could use a solution is a 3rd party service that I signed up for requesting certificates, but not installing them correctly and hitting the LE limits for that domain. If the mindshare changes from LE to ACME, maybe there'll be a day where 3rd parties will let me specify an ACME provider and link it to my main account somehow.
ACME has a concept of EAB (external account binding) credentials, basically like an API key. https://zerossl.com/documentation/acme/
Caddy supports this, so what you want to do should be covered.
> In an effort to ensure the widest possible SSL certificate coverage around the world, our team has decided to keep all ZeroSSL certificates created using the ACME protocol completely free of charge.
- Let's Encrypt is a busy non-profit organization. We can help maximize their budget by not using it as the exclusive default for every server.
- ZeroSSL does not have rate limits and is also publicly trusted. And yes, it is free to use it with ACME.
- ZeroSSL offers a graphical dashboard where you can log in and see and download your certificates.
- Having more than just 1 free ACME CA is a very, very good thing for the PKI ecosystem.
This is the beauty of standardization; if you give a server a URL, you can give it two and three and four, and not have to worry about global reliance on a single source.