Best strategy for adding certificate for multiple subdomains without hitting rate-limit?


#1

I want certificates on a number of subdomains -

domain.com, subdomain1.domain.com, subdomain2.domain.com etc.

I originally created one certificate will all the domains in the single certificate. but eventually some of the sites in that certificate were deleted/moved to a different server. So that caused problems when renewing the certificate as some of the domains failed for the DNS challange, and I could not renew any certificates.

So I started creating certificates separately for each site and that has hit rate limit and I can no longer issue new certificates (until next few days)

So what is the best strategy for issuing and renewing certificates without hitting the rate limit and also not being affected if I delete any sites.

~ Nik


#2

How many subdomains do you typically have ? and what is the “rotation” of them ( i.e. how many do you delete or start new every month )


#3

Hey @serverco Thank you for the reply,

Right now I have 11 subdomains, When I initially set up let’s encrypt, I added around 14 domains (all the domains) in single cert.

Deleting the site is not something which is fixed and it is not something that will happen everytime.

The scenerios are like after we created the subdomain we decided to change it’s URL before making it live.

Is it possible to remove a sites from the common cert?


#4

Hi @Nik

I don’t understand the line

Do you mean you change the subdomain name ? as changing the latter part of the URL will make no difference to the certificate.

With only about 20 domains, personally I’d add them as single ones. If you create them at a rate of 3 per week (you don’t need to remove them from your single cert), and auto-renew when they have 30 days left … you will manage to have certs for all your subdomains, and the ability for the occasional mistake or new cert before hitting the current rate limit of 5 per week.


#5

So even if all the domains are in single cert, the renew command will only update it for sites which are due for renew?

I thought, as practically it is all one cert it will try to update it for all the sites.

I will try to do it this way,

So the key is adding them at a slower rate, like 3/week so renewals will also occur at that rate.

and running renewal cron every week?


#6

If all the sites are in a single cert, then the cert has an expiry date ( not per domain) so that would need to be renewed just the once ( for all domains ) if you were doing it that way.

It is if you have added them all to a single certificate. You don’t have to though, and you can have separate certificates - one per subdomain ( or subdomain and www.subdomain if you like )

correct

if you have the renewal cron only renewing certificates that are due for renewal ( that depends on exactly what command you put in the cron). Then you can run it weekly, or daily ( as I do ) and it will automatically renew any certificates that are within the specified days of renewal ( usually 30 days by default).