Certificate DNS01 Challenge

I have a Rancher cluster and multiple downstream clusters, and I need to generate SSL certificates for each cluster using the Let's Encrypt API with the following DNS wildcard formats:

  • *.local.rke.example.com
  • *.downstream1.rke.example.com
  • *.downstream2.rke.example.com
  • *.downstream3.rke.example.com

However, the Let's Encrypt production API has a limit of 50 certificates per registered domain per week.
Since the registered domain is example.com, I may quickly reach this limit.I'm not sure about how the renewal process for certificates works if I decide to use the ACME Terraform provider. Specifically, I'm uncertain if renewing the certificates requires executing an additional Terraform apply.I want to know if there is another solution to achieve this please ?

Hi @fayssal, and welcome to the LE community forum :slight_smile:

I don't quite follow.
One certificate can have up to 100 SAN entries [and all can be from the same domain], it still only counts as one certificate.
How are you reaching the 50 certificates per week limit?

4 Likes

To me, Op suggests they have like more than 50 downstream clusters, all requiring their own certificate.

@fayssal Is it perhaps possible to issue a single cert with multiple hostnames in the SAN and redistribute that one cert among the downstream clusters?

3 Likes

@Osiris
the goal is to have a separate certificate for each downstream cluster

@rg305
I think If I destroy and recreate a downstream cluster each time, the certificate will be issued again, which is why I am concerned about hitting the limi

Can the downstream clusters be from any other domain?
Who sees their certs?

3 Likes

A good strategy for getting certs for ephemeral instances is to acquire (and auto renew) your certs in one instance (i.e. a cert manager) then store them in a secrets vault like Doppler or Hashicorp Vault (there are many others), then consume the vault secret in your instances.

No unnecessary renewals and you never hit the rate limit.

6 Likes

Another thing is that certs can take a long time to get (many seconds or minutes). And, occasionally there are outages which can last hours.

You don't want clusters to delay or fail startup because of this.

Redesigning your system along the lines of webprofusion is a good idea.

6 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.