We have 1000 domains with around 35000 sub-domains. We plan to generate 1200 certificates but don’t want to do it individually. Is there a way to generate all the certificates in bulk through LetsEncrypt Win Simple Exe command? Or is there an ACME clients which can help us in achieving this?
hi @chanchal
How much thought have you put in to this?
It might seem like stupid question however it’s very relevant.
A) Are you aware of rate limits? https://letsencrypt.org/docs/rate-limits/
B) How are you planning to pass the challenges
C) How are you planning to renew certificates
D) How faimilar are you with the ACME protocol?
E) Do you need to install these certs in to a windows cert store or do you need them on a file system as PEM formatted artifacts?
F) How are you planning on tracking all these domains
G) Do you own the domains or are they customers domains
Happy to offer advise however don’t want to have a chain where it’s a never ending story of questions arising from lack of proper research
The questions above are a good starting point as they will influence choice of client and in return recommendations I or others should make
The problem you are describing is very hard and a one liner is not enough for people (in my opinion) to offer intelligent suggestion
Hi Andrei, thank you so much for your reply.
Yes, we are fully aware of the rate limits and that is why we have planned to generate 1200-odd certificated for our 985-odd domains and 35,000-odd sub-domains
We have found a solution to my previous problem but have run into a new one -
Do we need to bind each sub-domain as a separate host name header in IIS8 to make each sub-domain work? Or is there any other way to attach all these certificates to all our domains and sub-domains?
I look forward to your help.
you need to think of this in terms of certificates
A) A certificate can have only 100 subdomains to it
B) A HTTPS binding can only have one certificate associated with it
C) You can have multiple domains to a binding
This will get simpler once wildcard certificates are available (search the forum for announcements on when this will happen).
So in short yes you will need multiple bindings in your instance
You can have a look at powershell scripting or using the IIS management tools to do this in an automated way
Please note: in order to use the powerShell tools the certificates must be in the windows store.
To be honest in your case I would be looking at the ACMESharp Module rather than the letsencrypt-win-simple library
With the module you get much more granular control and can script it the way you want
Andrei
Hi Andrei,
So will we have to create 36,000 separate hosts in IIS? and bind each host with its related certificate in which that sub-domain is covered?
FYI, we currently resolve/open these sub-domains and domains through rewriting and not actually hosting these sub-domains or domains.
I look forward to your reply.
Thanks.
I don’t know what your setup is however from what you have shared.
1000 domains -> 1000 bindings. let’s say you have the domains below
networdomain.xyz -> 12 subdomains
someotherdomain.com -> 50 subdomains
superspecialdomain.ch -> 24 subdomains
I would create 3 bindings each with a wildcard in IIS
*.networdomain.xyz
*.someotherdomain.com
*.superspecialdomain.ch
In terms of certificates associated with the bindings
networdomain.xyz -> 1 certificate with 12 SAN
someotherdomain.com -> 1 certificate with 50 SAN
superspecialdomain.ch -> 1 certificate with 24 SAN
In Jan 2018 you should be able to get wildcard certificates so the longer term plan (if i was planning this) would be to use those
i.e.
networdomain.xyz -> 1 wildcard certificate
someotherdomain.com -> 1 wildcard certificate
superspecialdomain.ch -> 1 wildcard certificate
Just out of interest what DNS provider do you use?
Andrei
We are actually using IIS8 where wildcard is not supported but are considering to upgrade to IIS10.
What if we have more than 100 sub-domains for one domain (say 500 sub-domains for 1 domain). In such a case we will have 5 certificates with 100 sub-domains each. How do we bind all 5 certificates to 1 host?
We are eagerly waiting for wildcard cert release in Jan’18.
Thank you for your prompt replies. Really appreciate 
We are actually using IIS8 where wildcard is not supported but are considering to upgrade to IIS10.
Can you clarify this a bit more please
how many of the domains that have more than 100 domains do you have? In those yes you would need to create bindings on a per host basis.
Andrei
For each https binding you make in IIS you can specify a certificate. So should be able to install 5 certificates and bind the right certificate to the right domain. I think this is more an administrative challenge then a technical challenge.
I'am currently using an nginx/ubuntu SSL proxy in front of IIS. Depending on the situation this might, or might not be a good solution. The reason I preferred this solution.
- Being able to use the certbot instead of letsencrypt-win-simple. I found letsencrypt-win-simple sometime's buggy en I had not the confidence that i would be able to troubleshoot this tool if problems would arise.
- Beeing able to do some caching en web routing tricks on the proxy.
- Support for http2 for client's without upgrading to windows server 2016.
- Ability to implement a WAF into the proxy.
- Whe have multiple backends like IIS/TomCat and some custom Python webserver. De proxy make it simple to add SSL to all these services in a consistent way.
If you stay with Windows only I can agree with ahaw021 that ACMESharp could be a better option. This because of the quantity of domains (35000) a solution developed specific for your needs is probably best.
I'm just about 99.5% sure that IIS 8 supports wildcard certificates. I'll check to be sure, but I'm pretty convinced that this shouldn't be an issue for you.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.