I asked how to handle installing LE on my work’s setup of ~150 subdomains, split 50% AWS ELB and 50% HAProxy and based on the feedback from the thread, we decided to handle SSL termination on our EC2 instances, instead of our ELB/HAProxy.
I developed a plan to split our sites into different certs based on their root domain’s first letter. So, cert 1: abcd, cert 2: efgh, cert 3: ijkl, etc. (see appendix 1).
It’s my understanding that when you run
certbot renew it renews all certs, and not just specific ones.
Reading the Rate Limit docs
To make sure you can always renew your certificates when you need to, we have a Renewal Exemption to the Certificates per Registered Domain limit. Even if you’ve hit the limit for the week, you can still issue new certificates that count as renewals. An issuance request counts as a renewal if it contains the exact same set of hostnames as a previously issued certificate. This is the same definition used for the Duplicate Certificate limit described above. Renewals are still subject to the Duplicate Certificate limit. Also note: the order of renewals and new issuances matters. To get the maximum possible number of certificates, you must perform all new issuances before renewals during a given time window.
Note that the Renewal Exemption also means you can gradually increase the number of certificates available to your subdomains. You can issue 20 certificates in week 1, 20 more certificates in week 2, and so on, while not interfering with renewals of existing certificates.
Because I have 120 sites over 73 domains, I’d need to renew certificates the same way I requested them, correct?
certbot-auto renew -n -d site1.a.com -d site2.b.com -d site3.c.com
certbot-auto renew -n -d site4.d.com -d site5.e.com -d site6.f.com
certbot-auto renew -n -d site7.g.com -d site8.h.com -d site9.i.com
Any help would be much appreciated!