3,000 real estate agent web sites to switch to HTTPS


#1

How do obtain and configure certificates for over 3,000 domains without having to process each one manually, neither ourselves or the customers.

Surely other companies have this issue and have solved it.

Each domain is a different domain, they are not sub domains.

I have contacted my current SSL provider and they cannot place more than 50 domains onto a single very expensive certificate.

Without a solution to this issue us and many other companies are unable to move to HTTPS unlike those who just run one or two domains.

My domain is:
Cannot list them all here


#2

Hi,

You must process each one of them singularly… However, you could implememnt scripts to ask the server to auto request & renew it…

I don’t know if theres any load balancer or whatsoever, but it’s not that easy to implement 3000 estate site’s…

P.S. you must take advantage of the SNI technology… Or there’s kind of no privacy & security… (Each certificate could contains up to 100 domain names…)

Thank you


#3

Hi @apollogz

that depends on your system. Looking outside it’s impossible to find a good solution.

If the 3000 have the same configuration and if they are “centralized”, it may be very easy. One script - one domain, then run this 3000 times :wink:

Normally, you may use an api, not a client like certbot with command line options.

But if I know it correct, you can define a redirect, so that

http://customerdomain.com/.well-known/acme-challenge/1234

is redirected to something like

https://yourownserver.com/acme-challenges/customerdomain.com.challenge.1234

so you can organize the challenge files in one own directory. So if you can create such “dynamic redirects” on each of these 3000 domains, it may be easier.


#4

Yes, it would be very useful to know what kind of hosting environment these web sites are hosted in and how the hosting is configured.


#5

You’re correct that there are several ways companies have handled large integrations before, but it will require some work on your side as well. Without a better understanding of your infrastructure (are you a shared hosting provider?) You might want to check out the integration guide, if this is relevant to your situation:


#6

This does not help me when ordering SSL certs and with the high cost. Scripting installation is the easy part.


#7

I don’t follow. Let’s Encrypt certificates are free. What costs are you referring to?


#8

This also does not answer my question, only the server side scripting aspects which are not a challenge.


#9

MS Azure VM: Server 2008 R2, IIS.

We don’t need help with scripting suggestions for server side management.

If going HTTPS is required then at least we should be given a way of doing it for thousands of domains at once and at a very low cost per domain.

My question should have been: how does one actually afford to buy, add to cart, pay once for all, verify domain IDs, download certs for thousands of domains?


#10

Use Let’s Encrypt, which provides free certificates that are issued completely automatically once you set up the scripting side on your environment. Are you asking about obtaining certificates from a different public CA?


#11

Thanks that is a little more informative. What companies can handle mass SSL cert purchases via API? I cannot find any, even my easydns provider does not have mass SSL ordering. Godaddy might but their pricing for thousands of certs is crazy.


#12

Great! Best answer. That is why I came to this site. Do these free certs work in all major browsers?


#13

They do indeed! In fact, a Let’s Encrypt certificate is securing your connection to this very forum, and they are used by a very large number of services and providers.


#14

Thanks Jared. That is very helpful.


#15

I’m curious how you found this forum if you didn’t know that Let’s Encrypt is the name of a free public CA that issues certificates via an API.

I don’t mean that in a disparaging way—I’m working with people who are trying to improve our documentation and we’re also very curious how and what people hear about us. Did you follow a link or a suggestion from someone else, or do a web search for some particular term?

Meanwhile, you might be interested in all of

including

(You don’t necessarily have to develop your own client application using the API, but you may likely be able to script around an existing client or library.)


#16

The server side scripting includes a challenge. It’s an essential part of the ACME-v2-Protocol, which you have to use if you want to use Letsencrypt.

And if you build your own client, then you have to solve the challenge. If that works, it’s no problem to manage certificates for 5 or for 5000 domains.

The ACME-Protocol v2:

https://tools.ietf.org/html/draft-ietf-acme-acme-13

PS: I have built my own client, because I have an own subdomain-service, where customers also route their own subdomains to their standard-subdomains. So I use a Letsencrypt-certificate for each of these external domains.


#17

I found a link on the BBC News web site in a story about the “not secure” warning now appearing on new versions of Chrome.


#18

Wow…

Is LE now featured on BBC?..


#19

Thanks very much. That is very helpful.


#20

That article says

In addition, the Let’s Encrypt project aims to make it easy for small sites to adopt it by publishing easy-to-follow guides and tools that simplify the process.

This seems like a slightly unhelpful journalistic description because it doesn’t mention the fact that Let’s Encrypt is a CA that will actually offer certificates for free (which is indeed a big part of what many of the small sites care about).

@apollogz, thanks for the explanation!