Can I use letsencrypt in more than one subdomain?


#1

Hello,

Just a quick question can letsencrypt be use in more subdomain, for example can I use it on https://www.mysite.com, https://mail.mysite.com, https://blog.mysite.com, etc ??

Thanks!


#2

Yes,

You can either have a single certificate which covers all of those subdomains, or you could have separate certificates, one for each subdomain.


#3

In addition to what serverco wrote above, there are two things that might come up which it can’t hurt to know now

  1. Let’s Encrypt does not currently offer “wildcard” certificates. So you will need to be able to list all the domains you want a certificate for, you can’t (as you can with some of the pricier paid certificates) get just one that works for every possible name in your domain. With Let’s Encrypt you’d need to issue new certificates for any new names you needed.

  2. Let’s Encrypt is rate limited. This won’t be a problem if, say you make one cert, then change your mind and make two more. But if you have plans involving dozens of names or names that change every day, you will need to read the rate limits


#4

Hello Serveco and Tialaramex,

First of all thanks for the answers is really helpful information just one last thing so, is clear to me basically I can add unlimited sudomains to my certificate but, I need to list that on certificate to work correct? And second what you mean with wildcard certificates? Because for what I seen on Godaddy SSL Certificates Wild Cards certificates up to 5 websites? What that means that will allow you to use it in other 5 subdomains or what it means?

Thanks and I apologize mine ignorance but this is a new world for me and there too many features that I dont have clear.


#5

Unless it’s been changed this year, the amount of domain names you could have on the certificate is not quite unlimited, it’s 100 max (though I would say it’s quite generous).

The 5 domains limit at the page you linked is not for the wildcard certificate - it is for the certificate with up to 5 domain names on it I believe. The actual wildcard, which is supposed to cover all subdomains you might ever come up with within certain domain, is there on the right, priced at £178.99 per year with renewals at £197.99. Ah, and then there is VAT to add :slight_smile:

Btw, don’t mix up that easy to miss renewal bit and the “Unlimited free reissues”, which is rather prominent on that page - it is two very different things :slight_smile:


#6

Yes, you need to tell Let’s Encrypt, when asking for the certificate, every name which should be listed on that certificate. It is also OK to ask Let’s Encrypt for more than one certificate (but again, if you need lots please check the rate limits) This will work like that middle option on the page you linked, UCC/SAN SSL. SAN stands for “Subject Alternative Name” which is a way for a certificate to list more than one name, and for some reason Godaddy limits it to just five (maybe they charge extra for more?) but as leader wrote, Let’s Encrypt will allow up to 100 names per certificate and they do not charge (although they do accept donations ).

Any public CA needs to check that you really control all the names you’ve asked for - so that you can’t obtain a certificate for somebody else’s site. The “certbot” software and numerous other clients for Let’s Encrypt will help you prove this to Let’s Encrypt automatically, so that hopefully you just set it up once and it gets renewed certificates every few months as they’re needed. The most popular method is by placing a file on the web server, in a special place, so that Let’s Encrypt can fetch that file - but there are other methods if that doesn’t help you. If you use a web hosting company you might even find that they’ll sort all this out for you, and you can just click to say “Yes” you want a free certificate for your sites in their control panel and you’re done.


#7

What’s a differents to have 1 Certificate to 100 subdomains? Or Each subdomain have their own certificate (which is limited to 5 per week)?

Does both method are separated for SEO purpose in some way … and have 1 certificate = 1 subdomain is better?


#8

The obvious difference is the number of certificates - and hence load on Let’s Encrypts system / services ( which is one of the reasons for the rate limits).

From an SEO viewpoint I don’t think there is any difference. For some ( e.g. domain and www.domain ) I have them on a single cert. For other subdomains ( e.g. special_function.domain ) I have it as a separate cert, since it’s independent in function ( and often on a completely different server ). It’s all a mater of personal preference.


#9

Ok thanks. So I need add like an Aliases upto 100 subdomains? and re-submit certificate for main domain?

as well as I want 150 subdomain, I need separate them to 2 main domains and 100 + 50 of aliases?


#10

for 150 subdomains, you’d need to split into 2 certs, yes.

exactly how you add depends on your setup. if using certbot auto and apache, you can just select them from the “GUI”. Alternatively you can define them all on the command line.

for renewing the certs, you can just specify “certbot renew” since it knows what was on the cert, you don’t need to specify them then.


#11

Thx @serverco for the answers. Probably I have a limit of creating new subdomain for next 7 days. Is it any tools to check I’m really on limit or my server is not properly installed?


#12

What specific error are you getting ? that should tell you.

You may be able to check by searching for your domain at https://crt.sh/ or https://www.google.com/transparencyreport/https/ct/?hl=en which will list existing certs obtained ( but isn’t real time, so it may have missed a few certs )


#13

%.mydomain.com

yeah it looks like 5 certs received for 5 different subdomains for today) so wait 1 week)


#14

ah sorry 20 times… it looks some certs I requested for several times not sure why.

upd: or 5… Heh, btw 1 week to wait.


#15

You can do testing in the meantime on the staging server. Then you know everything is working for when you are ready to go next week, and don’t have the same issue again.


#16

I am using a single cert for my root domain and all of its subdomains. I included all the domain names (both www and non-www versions) when creating a CSR.

Creating separate certs for each subdomain would be tedious and time consuming.


#17

Yeah I just thought about SEO. But yes create one cert for all subdomain it looks like WilCard SSL cert and its good)


#18

Any ways to contact with Let Encrypt Limits? not sure why but I still didn’t get certificates, because receiving “Too many certificates” limits.?


#19

Hi, it may be a silly question, but how do I request a certificate that will cove both www and non-www domains? Would it be by specifying both on the command line, i.e. -d example.com -d www.example.com?

Also, how can I delete currently issued certs so I can start all over again with a clean slate?

Cheers,
Michael.


#20

ok trying again 2 domain with 95 and 75 aliaes. Receiving Too Many Pending errors. Am I doing something wrong?