How to enrol for arbitrary subdomains on demand (e.g.
d.e.f.other.com) without hitting rate limits.
State of the world:
Let’s Encrypt currently has a rate limit of 5 certificates per week per domain (certificates for subdomains are considered part of the domain for the purposes of this rate limit). There is also a limit of 100 names per certificate (I’m aware that this is a technical compromise because TLS certificates cannot be over a certain size or the TLS handshake will fail). Wildcard certificates are not supported by Let’s Encrypt.
Browsers do not currently support the standard for nested wildcard certificates (e.g.
*.*.domain.com) and a
*.domain.com certificate does not service
The public suffix list has been used in the past to avoid L.E. rate limits. This is probably not appropriate in general because it subverts the main purpose of the public suffix list. In my case it also doesn’t work for reasons I will describe below.
Use case: TLS termination as a service
Cloudflare, AWS, and others have been offering TLS certificates and certificate management as a service for cloud hosted services. In order to provide a service like this for custom domains with arbitrary sub domains (and to allow creation of subdomains on demand - useful in the case of an organisation with many people wanting to manage their own subdomains), as soon as subsubdomains enter the mix certificates need to be enrolled on demand due to the existing limitation on client support for nested wildcard certs.
The two solutions to this problem that I can see are: (1) run a certificate authority; (2) find a sensible way to allow a higher rate limits for Let’s Encrypt (e.g. maintaining a L.E. fork of the public suffix list, a sponsorship arrangement to provide more resources for Let’s Encrypt, raising the limit on sub domains only).
I know what’s involved with (1) and honestly I’d prefer to not do that (props to the Let’s Encrypt team for dealing with that on behalf of the rest of us). (2) sounds like something worth brainstorming.
Please let me know if you can think of any other alternatives!