Free SSL guide • 2026
Buypass Go SSL
Buypass discontinued Go SSL on October 16, 2025. What changed, the free CAs to use instead, and how to make sure any remaining Buypass certificate does not silently expire.
Independent guide • Not affiliated with Buypass AS
Status: discontinued (October 16, 2025)
Buypass AS officially stopped selling TLS/SSL certificates on October 16, 2025. New orders, renewals and replacements are not accepted. Buypass cited "a comprehensive assessment of the market situation and the regulatory framework surrounding TLS/SSL certificates" as the reason.
Existing Buypass Go SSL certificates remain valid until they expire. CRL and OCSP services continue normally for the rest of each certificate's lifetime, and Buypass said it will send expiry notifications "as per the standard procedure" — but if you rely on these alerts, set up an independent monitor as a backup.
What Buypass Go SSL was
Buypass Go SSL was a free Domain Validation (DV) certificate service from Buypass AS, a Norwegian certificate authority trusted by every major browser. It was one of the few free ACME-compatible CAs alongside Let's Encrypt, ZeroSSL and (later) Google Trust Services.
The headline differentiator was certificate lifetime: 180 days, twice as long as Let's Encrypt's 90-day default. That meant half as many renewal cycles, which appealed to teams running older infrastructure or wanting a backup CA. Some older articles describe Go SSL as a "1-year free" certificate, but that was never accurate — the 1-year option only applied to Buypass's paid certificates.
Go SSL did not support wildcard certificates, and the issuance volume was capped by a per-account rate limit. Setup was standard ACME: point certbot, acme.sh, lego or another ACME client at the Buypass directory URL (https://api.buypass.com/acme/directory) and register an account.
Buypass Go SSL vs Let's Encrypt
| Buypass Go SSL | Let's Encrypt | |
|---|---|---|
| Status (2026) | Discontinued Oct 16, 2025 | Active, default free CA |
| Certificate lifetime | 180 days | 90 days |
| Renewals per year | ~2 | ~4 (best practice: every 60 days) |
| Validation | DV only | DV only |
| Wildcard support | No | Yes (DNS-01) |
| ACME | Yes (when active) | Yes — universal client support |
| Issuance rate limits | Per-account daily cap (~20 certs/day, historical) | 50 certs / registered domain / week + ordering rate limits |
| Browser trust | Yes, all major browsers | Yes, all major browsers |
| Expiration emails | Yes (continues for remaining certs) | Stopped June 4, 2025 |
Rate limit numbers reflect historical Buypass policy and current Let's Encrypt limits at letsencrypt.org/docs/rate-limits/. Always confirm with the upstream source before relying on a specific number.
Free alternatives to Buypass Go SSL
1. Let's Encrypt — the default replacement
For almost every Buypass Go SSL user, Let's Encrypt is the right migration target. It is the most widely used free CA, supported by every ACME client (certbot, acme.sh, lego, win-acme, Caddy, Traefik, cert-manager) and every major hosting platform. 90-day certificates, full wildcard support via DNS-01, and no per-account credentials to manage.
Migration: change your ACME client's directory URL to https://acme-v02.api.letsencrypt.org/directory, re-register, and renew. No account binding step needed.
Heads up: Let's Encrypt stopped sending expiration emails on June 4, 2025 — set up an independent monitor before you cut over.
2. ZeroSSL — friendlier UI, ACME with EAB
ZeroSSL (operated by IdenTrust, parent of Sectigo) offers free 90-day DV certificates over both a web dashboard and ACME. ACME requires generating External Account Binding (EAB) credentials in the ZeroSSL dashboard and passing them to your client (--eab-kid / --eab-hmac-key on certbot).
Worth picking if you want a web UI for occasional manual issuance, or if you want a second CA on a different operational track from Let's Encrypt.
3. Google Trust Services — ACME with EAB
Google Trust Services issues free public DV certificates over ACME with EAB credentials from a Google Cloud project. 90-day lifetime, wildcard support, and a separate operational footprint from Let's Encrypt — useful as a redundancy CA so a single CA outage does not take you down.
Setup overhead is higher than Let's Encrypt (you need a GCP project and EAB credentials), so it is usually paired with Let's Encrypt rather than used standalone.
4. Cloudflare Universal SSL — if you proxy through Cloudflare
Not an ACME CA you talk to directly — Cloudflare provisions and renews a free DV certificate for any domain proxied through them. Zero setup beyond DNS, but only an option if you are willing to put your traffic through Cloudflare's edge.
See the full comparison: Free SSL Certificate Providers Compared (2026).
ACME setup basics (for the new CA)
Any ACME client you used with Buypass will work with Let's Encrypt, ZeroSSL or Google Trust Services. The differences are the directory URL and, for ZeroSSL and Google, the EAB credentials.
certbot (Let's Encrypt):
sudo certbot certonly --standalone \
-d example.com -d www.example.com \
--email [email protected] --agree-toscertbot (ZeroSSL with EAB):
sudo certbot certonly --standalone \
--server https://acme.zerossl.com/v2/DV90 \
--eab-kid YOUR_KID --eab-hmac-key YOUR_HMAC \
-d example.com --email [email protected] --agree-tosacme.sh (Let's Encrypt, the default):
acme.sh --issue -d example.com --standalone --server letsencrypt
For wildcard certs, use DNS-01 validation (--preferred-challenges dns) with a DNS provider plugin. This is one place Let's Encrypt and ZeroSSL outperform what Buypass Go SSL ever offered — Go SSL never issued wildcards.
Rate limits and gotchas to know
- • Buypass renewal attempts will fail. If you have a cron job that runs
acme.sh --renew --server buypass, it will start failing after Oct 16, 2025. The cert keeps working until its expiry date, but the renewal job is dead. Swap the server before that. - • Let's Encrypt rate limits. 50 certificates per registered domain per week, 5 duplicate certs per week, 300 new orders per account per 3 hours. Most sites never hit these; CDNs and multi-tenant platforms do. See letsencrypt.org/docs/rate-limits/.
- • ZeroSSL EAB credentials are per-account. Don't commit them to a public repo. Rotate if leaked.
- • Email expiration alerts are not a renewal mechanism. Buypass still sends them for now, Let's Encrypt stopped in June 2025. Either way, treat them as informational; the source of truth is the live cert on your domain.
- • Multiple ACME clients on one host. If you migrate from Buypass to Let's Encrypt without removing the old client, two cron jobs can fight over port 80 or the cert files. Remove or disable the Buypass renewal before standing up the new one.
- • Reissuance after key compromise. Existing Buypass certs can be revoked (OCSP/CRL stays online), but they cannot be re-issued. If you need a clean key, switch CA first.
- • OCSP stapling configs. Most servers (nginx, Caddy, Apache) handle stapling transparently, but if you hard-coded Buypass OCSP responder URLs anywhere, remove them — they'll only respond for the lifetime of existing certs.
Monitor any remaining Buypass certificate with Certimon
If you still have Buypass Go SSL certificates serving production traffic, the priority is making sure none of them silently slip past expiry. Buypass said it will keep sending expiry notifications for existing certificates, but treating that as your only alerting path is a single point of failure — especially during a CA wind-down where contact records and email delivery can drift.
Certimon is a free, CA-agnostic monitor. It does a live TLS handshake against your domain and sends a Telegram reminder a configurable number of days before the certificate expires. It works for Buypass, Let's Encrypt, ZeroSSL, Cloudflare, internal CAs — anything served over public HTTPS.
Set up a free 30-day expiry alert for a Buypass cert
- 1. Open @CertimonBot on Telegram and press Start.
- 2. Send
/remind example.com 30for each domain still served by a Buypass certificate. - 3. Add a second window for safety:
/remind example.com 7. - 4. When the 30-day alert fires, run your CA migration (see the alternatives above) so the new certificate is in place well before the Buypass one expires.
Unlimited domains, no signup, no credit card. The alert lands in Telegram where your team is already on-call, not in an inbox nobody reads.
FAQ
Is Buypass Go SSL still available in 2026?
No. Buypass discontinued the sale of TLS/SSL certificates on October 16, 2025. New orders, renewals and replacements are not accepted. Existing certificates remain valid until expiry, and OCSP/CRL services continue normally for their lifetime.
How long do Buypass Go SSL certificates last?
180 days — not the 1-year lifetime some older articles claim. The 1-year option only applied to paid Buypass certificates. As of October 2025 no new Go SSL certificates are issued at all.
What is the best free alternative to Buypass Go SSL?
Let's Encrypt is the default replacement for almost everyone — fully automated 90-day DV certificates over ACME, supported by every major client and platform. ZeroSSL and Google Trust Services are the main ACME alternatives if you want a backup CA.
Can I still renew an existing Buypass Go SSL certificate?
No. Renewals stopped on October 16, 2025. Any existing Buypass certificate keeps working until its expiry date, then needs to be replaced with a certificate from a different CA.
Does Buypass Go SSL support wildcard certificates?
No, it never did. For free wildcard certificates use Let's Encrypt or ZeroSSL with DNS-01 validation.
How do I monitor a Buypass Go SSL certificate so it doesn't silently expire?
Send /remind example.com 30 to @CertimonBot. Certimon does a live TLS handshake and sends a free Telegram reminder 30 days before expiry, regardless of CA.
Don't let a discontinued CA take your site down quietly.
Migrate off Buypass to Let's Encrypt, ZeroSSL or Google Trust Services — and set a free Certimon alert on every remaining Buypass certificate so the cutover happens on your schedule, not the cert's.
Start free SSL monitoring