A certificate for a 63-character domain


#1

I have a domain that’s 63 characters long, and the .com extension.

I always seem to run into issues getting a Let’s Encrypt certificate for the domain. Is there a workaround or are longer domains never going to be able to get an SSL?


#2

What issue are you running into?

The Common Name field in certificates is limited to 64 characters. Conveniently, it’s been deprecated for 15 20 years. Inconveniently, CAs still use it.

Let’s Encrypt is pursuing valid and compatible ways to issue certificates without it, but don’t do so yet.

The current workaround is to include a shorter domain in the certificate, for use in the Common Name, as well as your longer names.

For example, if you’re using Certbot, you can do:

certbot run -d i-hate-common-name.short-domain.com -d long-long-long-long-long-long-long-long-long-long-domain.com -d www.long-long-long-long-long-long-long-long-long-long-domain.com


#3

Hi @bbox

I’ve tested it with

www.this-is-a-very-long-really-very-long-name-of-this-small-bdomain.server-daten.de

And saw the error @mnordhoff has described:

{
“type”: “urn:ietf:params:acme:error:malformed”,
“detail”: “Error finalizing order :: CN was longer than 64 bytes”,
“status”: 400
}


#4

@mnordhoff’s explanation is exactly right. Eventually we can partially automate the workaround in Certbot (and maybe also improve the error message), but the real fix would be CN deprecation at the CA.


#5

I remember talking about cert limits last year…

Where we concluded the limits were (at that time):

Limits contain the full length of the FQDN (including TLDs)


#6

So, now I have created the certificate:

https://this-is-a-very-long-really-very-long-name-of-this-small-bdomain.server-daten.de/

The site is a standard site. But the subdomain is long enough.

So if you add a shorter domain name as CommonName, you can have such a long domain name.

PS: It’s only a test certificate (Fake LE).

DNS-Name: www.server-daten.de
DNS-Name: this-is-a-very-long-really-very-long-name-of-this-small-bdomain.server-daten.de
DNS-Name: www.this-is-a-very-long-really-very-long-name-of-this-small-bdomain.server-daten.de

www has a standard redirect to non-www, http a standard-redirect to https.