Describe the bug
This is a feature request related to the ACME flow.
The "Preferred Certificate Authority" dropdown only lists hardcoded public CAs
(Let's Encrypt, ZeroSSL, Buypass, Google). There is no way to set a custom
ACME server as the default CA for automatic certificate generation on new proxy rules.
Custom ACME servers already work correctly in "Generate New Certificate" →
"Custom ACME Server", and the CA URL is properly saved in the per-certificate
.json sidecar file for auto-renewal. The gap is only in the Preferred CA
global setting.
Request Details
- ACME mode: HTTP challenge (auto-approved on internal network)
- CA used: Self-hosted custom ACME server (RFC 8555) bridged to internal PKI
- DNS provider: N/A
Error Message
N/A — this is a feature request, not a bug. The current behavior is that the
Preferred CA dropdown only shows public CAs hardcoded in src/mod/acme/ca.json
(embedded in the binary). There is no way to extend this list.
To Reproduce
- Go to Certificates → CA and Auto Renew (ACME)
- Open the "Preferred CA" dropdown
- Observe that only Let's Encrypt, ZeroSSL are available
- There is no "Custom" option or way to add a custom ACME directory URL
Expected behavior
Add a "Custom" option in the Preferred CA dropdown (similar to what already
exists in "Generate New Certificate"), so users can set a custom ACME directory
URL as the global default.
Alternatively: support a user-provided ca.json file in the config directory
that merges with or overrides the embedded one.
Use case
Internal infrastructure where domains cannot be validated by public CAs
(e.g. *.company.intra). A self-hosted ACME bridge connected to an internal
PKI (Infisical, Step-CA, CFSSL…) can issue certificates for these domains —
but it cannot be set as the preferred CA for new proxy rules.
Host Environment
- Arch: amd64
- Device: VM
- OS: Debian 12
- Docker: yes
- Docker Version: 27.x
- Zoraxy Version: latest (zoraxydocker/zoraxy:latest)
Describe the bug
This is a feature request related to the ACME flow.
The "Preferred Certificate Authority" dropdown only lists hardcoded public CAs
(Let's Encrypt, ZeroSSL, Buypass, Google). There is no way to set a custom
ACME server as the default CA for automatic certificate generation on new proxy rules.
Custom ACME servers already work correctly in "Generate New Certificate" →
"Custom ACME Server", and the CA URL is properly saved in the per-certificate
.jsonsidecar file for auto-renewal. The gap is only in the Preferred CAglobal setting.
Request Details
Error Message
N/A — this is a feature request, not a bug. The current behavior is that the
Preferred CA dropdown only shows public CAs hardcoded in
src/mod/acme/ca.json(embedded in the binary). There is no way to extend this list.
To Reproduce
Expected behavior
Add a "Custom" option in the Preferred CA dropdown (similar to what already
exists in "Generate New Certificate"), so users can set a custom ACME directory
URL as the global default.
Alternatively: support a user-provided
ca.jsonfile in the config directorythat merges with or overrides the embedded one.
Use case
Internal infrastructure where domains cannot be validated by public CAs
(e.g.
*.company.intra). A self-hosted ACME bridge connected to an internalPKI (Infisical, Step-CA, CFSSL…) can issue certificates for these domains —
but it cannot be set as the preferred CA for new proxy rules.
Host Environment