Update: This method is no longer functional. This post is retained for archival purposes only.

Today I saw someone released both the method and the script publicly, so I looked into it and packaged it into an executable program.

Open source repository:

https://github.com/TheTNB/zerossl

Usage:

1. Register an account on the official website (zerossl.com) (you need a VPN/proxy, as there is a hidden reCAPTCHA. You can use any random email, no verification is required), and save your account email and password.
2. Download the binary for your platform from the open source repository linked above, unzip it and run it.
3. Follow the prompts to enter your account credentials and domain name (you must enter a wildcard domain in the format *.xxx.com), then submit.
4. Next, go to the Draft section in the admin panel on the official website to complete domain verification and issue the certificate.
5. After the certificate is successfully issued, go to the Issued section to download your certificate. certificate.crt is your domain certificate, ca_bundle.crt is the intermediate certificate. Append the content of ca_bundle.crt to the end of certificate.crt, then combine it with the private key generated by the program to complete assembling your full certificate.

Notes:

1. One account can only issue one wildcard certificate. Register multiple accounts if you need certificates for multiple domains.
2. It is strongly recommended to run ./zerossl.exe from cmd, do not double-click the executable directly. This prevents the program from exiting unexpectedly before you can save your private key.

How it works:
The approach is similar to the paid membership exploitation tricks that were popular years ago: you submit a paid subscription then immediately cancel it, and submit your certificate request before the system processes the cancellation.

Screenshot:

image913×351 17 KB

Add SSL

That’s so cool.

If the relevant authorities find out, will they proactively revoke the SSL certificates that use this tool?

I don’t know, we’ll just use it for as long as it lasts.

It didn’t work at all. It shows that the submission was successful, but there is nothing at all on ZeroSSL.

Please use version v1.0.1 for now, or wait around 10 minutes for version v1.0.3. v1.0.2 has a bug.

Just let it die already, we are not issuing any more bills.

ZeroSSL has changed its subscription ID, and the latest version with the new ID has now been updated in the group (12370907).

I didn’t save the private key in time after getting my domain signed for a certificate. Is it not possible to register a new account and get the same domain signed again?

Alternatively, you can revoke the certificate using the original account, and you will be able to sign it once the revocation is completed.

Paired with 80% off Baidu Cloud servers, this is perfect. WeChat ID: vps12580

Can’t get on board now, huh? We’re gonna get our accounts banned

Officials detected violations and banned accounts.