Hi! Nick here from Pomerium.
Your post is actually timely. I’m not sure why you went with ZeroSSL, but Let’s Encrypt works great with autocert and is the default. I did run into rate limit issues, but it was on my end due to misconfiguration. My container kept destroying the folder that had the certs already provisioned. 
I actually wrote about it, Don't Get Rate-Limited: Use Let's Encrypt Staging - DEV Community.
I’d say give Let’s Encrypt a go again and if you’re testing things out, just use their staging URL until you’re certain of your config and then use the prod Let’s Encrypt URL (default URL for autocert).
