Changes during SAN renewal


#1

Hello,
Is it possible to ADD or REMOVE domains from SAN certificate during renewal request?

Also …

Is it correct that there are no limits (weekly or others) for renewal requests?

Thanks in advance


#2

Hi Mickehu

what client do you use? If your client supports that - yes.

But: Instead of renew you can repeat the initial command - with another set of domain names. That works always.

This is correct if the set of domain names is the same. If you change this set, it’s a new certificate.

An issuance request counts as a renewal if it contains the exact same set of hostnames as a previously issued certificate.

I prefer solutions with small sets of domain names:

*.example.com + example.com

or

www.example.com + example.com

So every certificate has only one domain name.


#3

It’s also important to know that the duplicative certificate limit does apply to renewals (you can’t renew the same exact set of domains 10 times in a week, for instance). Also, currently renewals count against the certificates per registered domain limit but aren’t blocked by it. That means that you won’t be stopped from performing a renewal due to other certificates that you’ve requested in the same week, but you might be stopped from requesting a non-renewal certificate due to renewals that you’ve performed in the same week.


#5

Hi Schoen,

this shared limit rise a huge risk for our project due to we know we will be asking about to renew hundreds of certificate weekly in the 3 months window of certificate validity lifecycle.
Thus this may block issue any other new domain to be certified.

Is there some kind of solution or work around?

Only think that cross my mind at the moment is to ask for new certificates in prior and leave renewal for later part of the week. But frankly this kind solution doesn’t seems to me to be correct or aligned with intentions of the LE.
Some ideas?

Thank for your help.


#6

Hi Juergen,

thank for your answer. It helps a lot!

Frankly we are just about to develop own client, serving as proxi for our corporation.
Than at the side of the client anything is possible due to we are in the design phase now.

Domains and intended certificates are numbered in thousands.


#7

May I ask why you need so many certificates for subdomains?


#8

You may Schoen,

We are huge international automotive company producing cars and related products to the whole world. Directly we manage hundreds of domains for sake of marketing and sales purposes like product pages and events … but the key of this question is hidden in the structure we manage content of our local importers and distributors. Thousands of them use our web services and we provide the content and manage their domains and sub-domains.
Thus it is common we have hundreds up to thousands sub domains at the 3rd grade of a single domain.

For all of those domains we are aiming to provide secure protocol with help of LE service.


#9

Do you think your structure might allow for the use of wildcard certificates instead of explicitly listing all of the hostnames individually?


#10

OK, got some breaking news.

There was a huge discussion about implementation … how to handle those huge numbers and how to sort request for renewals and requests for new one.

  1. At the end of the day we found out there will be probably hundreds of sub-domains under one single domain.
  2. We decided that this responsibility whether to request DV certificate (for single domain) or SAN certificate (for multiple) will be handled at the level of the requesting application.

And because SAN may handle up to 100 domain names, and LE limit of requests is up to 50 per domain. It seems like we (our applications and the client we are developing) can handle up to 5 000 domains and sub-domains issuance and renewal per week per domain.

Thus … problem solved. :slight_smile:

I am right?


#11

Yes, this is correct. If these are all subdomains of one domain (not a lot of different domains from customers, so they come and go and come and go), then that may work.


#12

Gentlemen,
I have one more question, regarding to this topic, you can help me with.
Being on mission to create beautiful, robust solution, I am thinking about: Under what conditions is possible to rise LE limits of 50 requests for us?

I know that this was mentioned in the documentation as an option.
Thank you in advance


#13

There

Overrides

If you are a large hosting provider or organization working on a Let’s Encrypt integration, we have a rate limiting form that can be used to request a higher rate limit. It takes a few weeks to process requests, so this form is not suitable if you just need to reset a rate limit faster than it resets on its own.

is a form you can use.


#14

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.