Actually, this is not MY problem, this is trouble from my Let's Encrypt user friend.
He has this error message:
The request message was malformed :: Error creating new cert :: CSR contains more than 100 DNS names
Please see the logfiles in
/var/log/letsencrypt for more details.
Yes, he has more than 100 domains, and he wants to apply certificate to them.
And what I want to ask is, Can't he apply Let's Encrypt cert to more than 100 domains, or relax the limitation?
Reason that using more than 100 domains is 'just want ssl on all of my domains'.
And so,
using more than one certificate.
Also when someone issues more than one cert, isn't newer one covers the old one? - that means could he use two seperate certificate, to use one in 100 domains and others in second certificate?
You can have thousands of domains with SSL certs, that doesn't mean they all need to be on a single certificate. Hence my question of what was the reason / need for over 100 domains on a single certificate ? it's generally not good practice and slow (for users connecting) if you have a large number of SANS on a single certificate.
but especially in comparison with startssl (which sadly got kicked) the wilds are pretty expensive from traditional CAs coz you are paying them for everything, while startssl had a very nice and understandable pricing model. you pay once for the verification of your company or yourself and you can get as many certs with any domains you validated (domain validation btw costs nothing) as long as the validation lasts (1 year) even though the certs’ own lifetime is higher.
Good to know that. Especially for the server running on my home-based dinosaur. Many single-name certs vs. a few multi-name certs was one of my internal "best choice" debates.
What domains a server hosts may be public information, but it’s not necessarily discoverable information. So if you know one domain name, you can connect to the server and retrieve that website, but you can’t easily find out which other domains there are, unless you are in a MitM position and can sniff traffic.
Stuffing all (even unrelated) domains into one cert gives up that advantage and makes previously undiscoverable information discoverable.
CT logs don’t carry information about which names end up on the same server/network. It’s not about knowing which domains exist, but also about which domains are operated by the same entity. This might be relevant to some people, for example if the local church operates a gambling shop or something like that.
If both sites live on the same server, you could still plausibly deny that they’re both yours. If you stuff them into the same cert, that might become just a bit harder to deny.
Anyway, that’s probably too abstract for most people. I just threw it out there.
why that? you could just say you use the same cert so non-SNI clients (WinXP and other old stuff) can work with it. isnt really "hard" for denying the connection.
Most client implementations (web browsers) support only a limited number of SAN entries per certificate. As an example, Windows’ crypto stack (relevant for IE/Edge/possibly Chrome on Windows) sets the limit at 4KB for the SAN extension, which translates to about 100-200 domains (depending on their length). 100 is probably the sweet spot where most users won’t run into compatibility issues by accident, so I don’t see this limit changing significantly.
SNI with multiple certificates or a wildcard certificate from a different CA (if the certificates are all for subdomains of the same parent domain) would be your best option here.
Totally different domains. Just domain.tld and www.domain.tld.
It’s possible but very tedious to create a unique ceritificate for each domain.tld this way, and that’ll be 100+ renewed certificates instead of 1 certificate with 100 domains.
Seems the SAN-limit in this case is not working in favour or certificates this way =)
There’s really not much Let’s Encrypt can do about the limitations in the ecosystem regarding the number of SANs on the same certificate.
You can use SNI with SAN certificates, bundling up to 100 domains on a single certificate - that’s what Cloudflare does for their free SSL offering. However, that might be difficult to manage so I can understand if you’d rather stick with one name per certificate for that use case. (In fact, that’s what Squarespace did, and they issued millions of certificates.)