1 certificate for UNLIMITED domains / any domain without updating current certificate

Hi there

I'm running a website builder, like wix.com, and I would like to use SSL for all domains connected to my builder, like Wix

There's any solution to solve this?

Many thanks


Edit 1:

I found this - https://support.wix.com/en/article/troubleshooting-your-ssl-certificate - this guides users how to enable SSL for external domains (not purchased from wix)

But this link - https://support.wix.com/en/article/request-third-party-ssl-certificates - said no Third-Party SSL Certificates

So users only need a domain (any registrar) to use SSL on wix? How Wix setup this?

Do you have access to a root shell, or is it managed hosting?

2 Likes

yes, I'm using VPS with full control.

Currently my builder may accept all incoming external domains by a CNAME record (without SSL). But I want to make all in SSL

In that case you should read Certbot’s guide for your OS (https://certbot.eff.org/instructions). According to certbot’s website (https://certbot.eff.org/hosting_providers), Wix does offer partial HTTPS support, but the tutorial link is invalid. This leads me to believe that Wix no longer offers HTTPS.

3 Likes

you mean this tutorial is wrong https://support.wix.com/en/article/troubleshooting-your-ssl-certificate ?

currently, my SSL certificate (released by LE) is only 1 for multiple domains, command by this link - How do I obtain a multi domain certificate?

but this is manually setup, there's any solution to accept any domain (point to my builder by CNAME record) automatically without changing / renewing certificate manually?

No, just saying that it is irrelevant, since it is troubleshooting, when I'm guessing that you don't have a certificate in the first place

3 Likes

yes, so there's any SSL certificate for my purpose?

Then you need to read on how to setup SSL certs:

It's not magic, you will have to do some work.
But ideally it would be setup in a completely automated fashion, so you will only need to do it once.

Now to specifically address your topic title.
The only certificate that can remain unchanged while adding new domain names to it, would be a "wildcard" cert and only if the added domain is an immediate subdomain of the base domain.
Like:
*.your.domain
would cover all possible single names that end with ".your.domain".
But it would not cover:
some-other.domain.name
That is just not possible.
You would need to reissue the cert every time you wanted to include such a different name.

3 Likes

yes, I made my VPS to accept wildcard domain

but now I would like to accept custom domain, not sub domain.

There's any solution to reissue the cert automatically via PHP only?

Many thanks

Hi @PREScriptZ,

There are some ACME clients implemented in PHP that you might be able to use:

In general I think you should be aware that if you want to integrate Let's Encrypt with a hosting service you're creating, it will probably require some effort and custom programming on your part (even though existing tools may be helpful to you). We've had some other threads here where people were creating their own hosting services and sometimes they were somewhat reluctant to realize that there is probably no off-the-shelf 100% solution for their use cases.

Another thing you might want to look at is the Caddy server

which puts the certificate issuance process inside the HTTP server itself (!). This might be better in some ways and worse in other ways for your application.

4 Likes

Thank you so much, this is seems solution for my issue now.

but I found this link - How many domains in a certificate? - #3 by jmorahan - seems I can only add up to 100 domain names per cert?

This rate is super too low for a site builder with thousands of created sites.


I also found that Wix shall issue an own cert for each domain, Wix works as registrar & hosting provider like BlueHost?


If my builder runs as registrar & hosting provider, there's any solution for me to issue own cert for each sold domain automatically?

Or if my users have a domain at some registrar, they would buy/get a some SSL cert (such as sslforfree.com), how to assign this cert to my builder to accept user's domain via SSL?

Thanks

It may help to understand that a wildcard counts as just one name for the purposes of this limit.

2 Likes

Yes, I knew this, but I really needs Unlimited

My builder allows all custom domains connect to, such as somedomain.com, other.net, again.org, newother.io, etc. So 100 is too super low

Okay, then why not use several different certificates? There's no limit to how many different certificates you can have - only rate limits to how quickly you can get them.

3 Likes

I don't think it would make much sense to have one certificate with 5000 names on it.

3 Likes

To expand on what @jmorahan and @rg305 pointed out, if the certificates cover different domains, there is no limit to how many different certificates you can get. So if one customer comes to you with example1.com and another comes with example2.net, the certificate you get for the first customer doesn't prevent you from also getting a separate certificate for the second customer.

And combining different customers' domains in a single certificate can create some risk for you, in case the certificate has to be revoked (for example, because one of the domains it covers was unexpectedly transferred to someone else), or in case some customers transfer names away without telling you, or in case some customers have unreliable DNS service. In the second two cases, you might have unexpected renewal failures because Let's Encrypt can't validate some of the names in an existing certificate properly for the renewal, even though other names can be validated correctly.

There are CDNs and shared hosting providers that do combine multiple customers' domains in a single certificate, but they usually do a lot of extra programming to try to handle these cases. The Let's Encrypt service makes it easier for you by allowing you to reuse successful authorizations without repeating the proof of control (so if you know which ones succeeded, you know which names you'll be able to request a certificate for), but most of the already-written client applications for Let's Encrypt don't really take advantage of this in a way that's very helpful for a shared hoster.

For example, with Certbot, the entire certificate renewal will just fail if even a single name in the certificate fails to validate. If you just used certbot renew for a certificate covering multiple customers' domain names, that means that one customer could break the renewal for another customer by misconfiguring his or her DNS!

Now, Certbot (for example) has an option called --allow-subset-of-names, which will simply forget about names that fail to validate during certificate issuance, causing them to no longer be part of a certificate. This is good if your priority is to make sure that the certificate gets issued correctly, but it's also not a great option for a shared hoster, because Certbot then permanently forgets that you wanted a certificate for the failed names, even if the failure was temporary. It doesn't store them somewhere to "try again tomorrow" or something.

So if you do combine separate customer names on a single certificate, in order to have reasonably reliable renewal even given the risk that customers who brought their own domain names will unexpectedly misconfigure them or take them away, you would probably need to write your own software to interact with Let's Encrypt that keeps track of exactly which validations have succeeded or failed, and adjusts your certificate coverage to aggregate currently-succeeding renewed names while putting currently-failing names on a list to try again later. I believe that some large entities have effectively done something like this.

Alternatively, if you used a separate certificate per customer, then a renewal failure for one customer's domain would just not affect renewals for other customers' domains at all! So this could be preferable in terms of reliability and convenience for you, even though it involves a larger total number of certificates.

This might not apply if you plan to manage the certificates manually—depending on whether you're expecting to have more like 50 customers or more like 5000 customers.

7 Likes

Thanks millions. Seems this is solution used by host providers?

But my builder is really not a host provider, I really don't provide any real hosting package, user's domains connect to my builder via CNAME pointing only, not via nameserver.

In order to issue an SSL cert for each domain, I must provide real hosting packages with nameserver? It requires me to create each VirtualHost (with own cert files) for each pointed domain?

Really thanks because I'm newbie

Nameservers have nothing to do with web site hosting.
They are used by DNS service providers to host DNS zones.
And everything uses DNS... but it is not a requirement for the website hoster to manage the DNS zone.

2 Likes

yes,

but seems with solution of an SSL cert for each domain requires each real domain folder ( VirtualHost)

My builder uses 1 VirtualHost only for accepting all incoming domains. My builder uses 1 domain to process all requests by other pointed domains, this is why I said my builder really doen't provide real hosting packages, I call it's just a "virtual host" in back-end

There's any solution to create & handle and process many separated certs without creating folders for each domain?

Or if I create 1 self signed certificate for all domains, this cert has limit of domains? And letsencrypt supports to create self signed certificate like this?

Regards

You can't provide many certs within one server block.
In most web servers...
Caddy might be able to do this type of dynamic cert to name assignment.

2 Likes