Does Let's Encrypt give a unique certificate for each domain name?

I have a few websites hosted on a shared hosting server which provides free SSL certificates from Let’s Encrypt. One problem is that my domains and subdomains have been getting fewer unique certificates than the number of domains I have. So a few websites can be clumped together as under a single domain and have the other domains listed as subject alternative names, rather than each getting its unique certificate.

This means that when someone visits myfirstwebsiteexample.com (not the real domain) and mysecondwebsiteexample.com, viewing the certificate on either website can show that it’s signed to mysecondwebsiteexample.com and that myfirstwebsiteexample.com is a subject alternative name.

This is problematic for my purposes as I don’t want the visitors to one website that I run to get the certificate for another. (Especially since some of my subdomains or domains may not be intended for the public.)

When I raised the issue with tech support, they said that’s normal and there’s nothing that can be done about that. I find that hard to believe, in part because it sounds like such a bad idea to merge the certificates of distinct websites, and in part because my previous host had each certificate specific to each domain.

So I asked their sales as well as the sales of another shared host which uses Let’s Encrypt, I was told by both of them that it indeed should be a unique certificate per domain.

But I want to check here too. Should each domain have its own certificate or is it just the way things are that Let’s Encrypt combines several website domains into a single or smaller number of certificates?

1 Like

You can do this either way. It honestly makes little sense to combine domain names that will be served from separate webserver instances (other than wildcard *. certificates being distributed to webservers for subdomains in a trusted environment). Any certificate authority (including Let’s Encrypt) will simply take whatever you put in your certificate signing request (CSR). Not being the common name does not make a certificate any less valid for a SAN. If you view your certificate with https://crt.sh you’ll see that the Matching Identities list the actual (sub)domains covered, which merges the CN and SAN. I definitely understand your concern about appearances though. That’s why I list the bare domain as my CN and the wildcard *. as my second SAN (because the CN should always be the first SAN).

1 Like

You can do whatever combination of X domains across Y certificates that makes sense to you. Let’s Encrypt has no restrictions on that. (Though there is an opinion on what’s better in the Integration Guide).

With shared hosting, usually where this restriction comes from is the hosting platform itself.

On some shared hosting platforms, the host allocates you a single certificate to your account, and you have to fit all your domains in on there. That’s the most restrictive.

On typical shared hosting, your certificates are created up according to how your virtual hosts are setup. Take for example:

In most environments, you would most likely end up with 3 certificates, each correlating to the set of domains assigned to each virtual host.

It would not make sense to split them up further than that, as web servers typically only allow 1 certificate per virtualhost.

If you did want to e.g. split off mail.example.com onto its own certificate, the way to do it would be to split it off into its own virtual host entirely. That is subject to what specific shared hosting platform you’re using, though.

If your host has instead jammed all 6 domains onto one certificate, that’d just be an idiosyncrasy of their hosting platform. If they say they can’t change it, they probably can’t. But web hosts are a dime a dozen, there’s plenty that do it the right way.

2 Likes

Thanks. There are a few certificates in total, one is for one (newer) subdomain, another is for a handful of subdomains, and another is for another handful of subdomains plus regular domains. A few months ago they were broken up in a different way than this also.

The host I have is HostPapa, and before then it was Lunarpages (which HostPapa purchased). How would I know what host would do it right though, because when I asked HostPapa sales support they told me they’d get unique certificates?

2 Likes

To me, the truly important part is that you have one private key per certificate. The management (and protection) of that key is a key factor (no pun intended). Think about which traffic you want housed under a single key and whether there are any vulnerabilities or complications with such.

Why is HostPapa responsible for getting your certificates?

1 Like

Well, pretty much any shared host that uses cPanel with its built-in AutoSSL feature will issue one certificate per virtualhost.

I don't know what hosting platform panel Hostpapa uses and you've chosen not to share your domain names, so it's hard to give a specific answer.

1 Like

@_az

I get you now. Not only shared hosting, but multidomain on a single instance. I use GoDaddy for most of my shared hosting, but I never try to stack domains (and pay them for the privilege).

It does use cPanel. Does one certificate per virtualhost mean per website domain or subdomain?

1 Like

Neither. A virtual host basically boils down to one of:

  • The cPanel account’s primary domain + its alias domains
  • A subdomain + its alias domains
  • An addon domain + its alias domains

If you login to cPanel and visit the “Addon Domains” interface, each of those should have its own unique certificate, because they’re all standalone virtualhosts. Same with the “Subdomains” interface.

For the “Alias Domains” interface, those domains will have their certificate combined with the Primary Domain of your account.

So having the correct split of certificates relies on you setting up your virtual hosts in a specific way.

2 Likes

Okay so I have several domains in the Addon Domains part and several in the Subdomains part and they are blended together across only three certificates in total.

I have no domains under the Alias Domains part.

This means that I should have one virtualhost for each of my domains and subdomains, but that HostPapa is messing up somehow, right?

Edit: Actually in the SSL Certificates section, under “certificates on server” it’s a real mess.

if they are being combined, that’s not consistent with my understanding of how cPanel AutoSSL works. I just did a test run on my own development cPanel server, and it definitely splits them up.

I can’t speak for what setup HostPapa has. Calling it “messing up” is a little harsh, as it’s not super uncommon to combine them. Try visit any site hosted on Cloudflare and check the SANs.

1 Like

Interesting.

I visted a couple sites hosted on Cloudflare and didn’t notice anything objectionable in the way it used SANs.

But if two completely separate Addon Domains are supposed to have different virtual hosts and different certificates and there’s nothing about Let’s Encrypt which is preventing HostPapa from doing that, that’s good to know.

At this point the only thing I can guess is that the weird combinations of SANs is they may be specific to domains from prior to HostPapa’s acquisition.

Oh, you're right. It looks like they have stopped that practice recently-ish. This is what I was referring to - a whole bunch of unrelated companies appearing in your SAN list.

Interesting. Even then, though, the main subject name was something generic, not one of the other domains.

Thank you for all your help. I’m taking this information to HostPapa support again and we’ll see if it helps.

1 Like

You should move to a vps hosting to get complete and absolute control (and responsibility) over how your certs are generated, or just tell your hosting you want a Let's Encrypt wildcard certificate, so your SANs will be example.com,*.example.com and that's it, your clients won't know what subdomains you use.

2 Likes

Okay, so HostPapa finally responded. They said that cPanel makes the API calls and issues the certificates like this due to recently introduced Let’s Encrypt rate limits of 300 certificate orders every three hours. They say cPanel has to adjust for issuing individual certificates on a big server and that this would happen on any hosting company that uses cPanel at the moment.

Is that really true, that any hosting company using cPanel where a customer has a handful of domains and several subdomains that the certificates would be merged into a few (randomly selected bunchings of) certificates??

And if it is, would I in theory be able to tell them to at a minimum configure it so it uses wildcards and combines the certificates in a particular way that prioritizes unique certificate by domain? Because the current way it does it is a subdomain is more likely to have its own certificate but all the main domains are merged into one.

Edit: By the way is the 300 certificates/3 hour thing new? I find references over 2 years old to it on these forums, and HostPapa only migrated my server in February of this year which is when the problems started. I also read on these forums here 300 New Orders per account per 3 hours - Renewals that if a provider is large and needs more than that they can override it, so is that a valid excuse even in the event that the merger of certificates is caused entirely by cPanel wanting to stay under the limit.

Ah, figures. I was not aware of that change that cPanel made to the Let's Encrypt AutoSSL provider.

On my cPanel server I use the (default) Sectigo AutoSSL provider, not Let's Encrypt. It doesn't have the same restriction, because the cPanel Sectigo CA is not subject to the same rate limits.

That's why I could not reproduce the same combining behavior as you're seeing.

I think most hosting companies use the default Sectigo provider tbh, but I don't have numbers on that.

I don't think you can ask them to do that. The AutoSSL software basically has a fixed algorithm when it's processing an account, don't think there's much room to maneuver there.

Umm, sort of. That particular limit got introduced with the "new version" of Let's Encrypt - ACMEv2.

It didn't exist in ACMEv1, which is what cPanel was using when they initially implemented their Let's Enrypt AutoSSL provider.

Then when the forced migration to ACMEv2 began, I guess they were forced to make this change to the AutoSSL provider in order not to have massive problems with existing deployments.

Yeah. I don't know what the situation is though with actually making use of elevated rate limits. I've uploaded the code that cPanel uses to figure out certificate buckets here, and, well, the way it is called, I don't think there is any straightforward solution because there's no way to tell cPanel about the elevated limits.

All of this sort of spells bad news for you. I'm not sure what you can do about it besides bail to another host or externally manage certificates. Can't tell Hostpapa to use Sectigo, and can't really adjust the runtime behavior of the Let's Encrypt provider.

1 Like

You could always just skip AutoSSL and handle your certificates “manually” through cPanel:

  1. Generate a new private key and certificate signing request in cPanel.
  2. Submit your certificate signing request to an ACME client, perform dns-01 challenges by creating the DNS TXT records yourself, and copy your certificate and ca bundle (à la fullchain.pem).
  3. Submit your certificate and ca bundle in cPanel. No need to submit your private key since it’s already there.
  4. Wash, rinse, and repeat every 2 months.

Voilà! You are back in control of your certificates.

1 Like

Is that a free solution that would work with Let’s Encrypt? Is there a guide that I could follow, because I don’t really understand how to do all that. And is it the kind of thing that if it doesn’t work I could have HostPapa do the AutoSSL again?

Also does anyone out there have multiple domains/subdomains with AutoSSL/Let’s Encrypt in cPanel where they would be able to confirm or deny whether HostPapa is right?

Yes. Free.

A couple of questions though:

  • Who is you DNS through? (Likely the company through which you registered your domain name.)
  • Does your cPanel have a Security section with an SSL/TLS icon? If so, when you click on it do you see sections for: Private Keys (KEY), Certificate Signing Requests (CSR), Certificates (CRT), and Install and Manage SSL for your site (HTTPS)?