Applying more than 100 domains?


#1

Actually, this is not MY problem, this is trouble from my Let’s Encrypt user friend.

He has this error message:

The request message was malformed :: Error creating new cert :: CSR contains more than 100 DNS names
Please see the logfiles in
/var/log/letsencrypt for more details.

Yes, he has more than 100 domains, and he wants to apply certificate to them.
And what I want to ask is, Can’t he apply Let’s Encrypt cert to more than 100 domains, or relax the limitation?


#2

The limit is 100 domain names on a single certificate, so the short answer is usually use more than one certificate.

Can you give a little background as to what the use-case is that requires a large number of domains on a single certificate ?


#3

Reason that using more than 100 domains is ‘just want ssl on all of my domains’.

And so,

using more than one certificate.

Also when someone issues more than one cert, isn’t newer one covers the old one? - that means could he use two seperate certificate, to use one in 100 domains and others in second certificate?


#4

You can have thousands of domains with SSL certs, that doesn’t mean they all need to be on a single certificate. Hence my question of what was the reason / need for over 100 domains on a single certificate ? it’s generally not good practice and slow (for users connecting) if you have a large number of SANS on a single certificate.

I don’t understand your question fully.

Normally, on a single server there will be lots of domains. Let’s say it’s a server with 200 domains. There will be domain1.com which has associated subdommains www.domain1.com, mail.domain1.com, forum.domain1.com and there will also be domain2.com which also has www.domains2.com etc.

You can have a single certificate which is for domain1.com, www.domain1.com, mail.domain1.com, forum.domain1.com

A second certificate would be for domain2.com and www.domain2.com

You configure the server ( via apache, nginx or whatever your webserver is ) to use the correct certificate for the domain.

Hence my question - What is the reason / need for over 100 domains in a single certificate ?


#5

well one reason could be accomoodating clients with a lack of SNI (windows webdav for example)


#6

It could be - but rather than second guessing I’d prefer to know what the actual reason is in this case.


#7

that is certainly true.


#8

Hi BluePencil

Commercial Wildcard certificates are also an option here.

I believe these are coming down in price. LetsEncrypt does not provide WildCard certificates.

Its comes down to a choice between configuration effort and cost

Don’t forget you need to renew these certificates every 3 months


#9

but especially in comparison with startssl (which sadly got kicked) the wilds are pretty expensive from traditional CAs coz you are paying them for everything, while startssl had a very nice and understandable pricing model. you pay once for the verification of your company or yourself and you can get as many certs with any domains you validated (domain validation btw costs nothing) as long as the validation lasts (1 year) even though the certs’ own lifetime is higher.


#10

Good to know that. Especially for the server running on my home-based dinosaur. Many single-name certs vs. a few multi-name certs was one of my internal “best choice” debates.


#11

Another point:

What domains a server hosts may be public information, but it’s not necessarily discoverable information. So if you know one domain name, you can connect to the server and retrieve that website, but you can’t easily find out which other domains there are, unless you are in a MitM position and can sniff traffic.

Stuffing all (even unrelated) domains into one cert gives up that advantage and makes previously undiscoverable information discoverable.

Just another thing to keep in mind.


#12

well let’s not forget that all data lies in CT. so if somewant wants to find, they probably will…


#13

CT logs don’t carry information about which names end up on the same server/network. It’s not about knowing which domains exist, but also about which domains are operated by the same entity. This might be relevant to some people, for example if the local church operates a gambling shop or something like that. :slight_smile:

If both sites live on the same server, you could still plausibly deny that they’re both yours. If you stuff them into the same cert, that might become just a bit harder to deny.

Anyway, that’s probably too abstract for most people. I just threw it out there.


#14

why that? you could just say you use the same cert so non-SNI clients (WinXP and other old stuff) can work with it. isnt really “hard” for denying the connection.


#15

I have the same issue in hosting environment with above 100 hostnames.

Can this limit be adjusted or is this purely a CSR issue and not an issuing certificate problem?

Reason for 100+ in same cert is the easiness to roll out same SSL configuration rather than adjusting to each virtual hostname.


#16

Most client implementations (web browsers) support only a limited number of SAN entries per certificate. As an example, Windows’ crypto stack (relevant for IE/Edge/possibly Chrome on Windows) sets the limit at 4KB for the SAN extension, which translates to about 100-200 domains (depending on their length). 100 is probably the sweet spot where most users won’t run into compatibility issues by accident, so I don’t see this limit changing significantly.

SNI with multiple certificates or a wildcard certificate from a different CA (if the certificates are all for subdomains of the same parent domain) would be your best option here.


#17

Totally different domains. Just domain.tld and www.domain.tld.
It’s possible but very tedious to create a unique ceritificate for each domain.tld this way, and that’ll be 100+ renewed certificates instead of 1 certificate with 100 domains.

Seems the SAN-limit in this case is not working in favour or certificates this way =)

Do you have any other suggestions on solution?


#18

There’s really not much Let’s Encrypt can do about the limitations in the ecosystem regarding the number of SANs on the same certificate.

You can use SNI with SAN certificates, bundling up to 100 domains on a single certificate - that’s what Cloudflare does for their free SSL offering. However, that might be difficult to manage so I can understand if you’d rather stick with one name per certificate for that use case. (In fact, that’s what Squarespace did, and they issued millions of certificates.)

There aren’t really any other options.


#19

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.