Generating a lot of certificate, what's best 1 certificate per domain?


#1

Hello,

We run an ecommerce platform like Shopify.
We want to offer free SSL certificate to all our customer in a progressive way (~700 shops/domain name on the same IP address)

Is it best to generate one certificate per store, or to add domain names on the same (up to 100 i’ve read) using SAN.
On one hand, 7 certificates with 100 different domains on it is simpler to renew and on the other hand it’s easier to find which certificate belongs to the certificate.

Is Email validation required to generate the certificate but not required when adding a domain using SAN ? Or will we have to send 700 validation emails ?

Thanks :slight_smile:


#2

First of all: Let’s Encrypt doesn’t do any email validation in order to show proof of ownership for a domain. There are currently three ownership challenge types you can use:

  • http-01, which works by hosting a file on your domain under a certain path provided by the CA server
  • tls-sni-01, in which you use a temporary certificate under a specific SNI hostname provided by the CA server
  • dns-01, where you create a TXT record with a token provided by the CA server

As to your original question: I would say that it depends mostly on how you are planning to issue those certificates (automated?), how you will handle new domains that I imagine might be added (and removed) all the time, and what your web server configuration looks like.

I would probably go for a setup with one certificate per domain in this use case. You will have to reissue certificates at least every 90 days, and if you’re dealing with a certificate with 100 domains and just one of them fails the challenge (for example, because a client messed up their DNS - I’m assuming you’re working with client-provided domains with CNAMEs or something similar), things get complicated and you’ll have to detect and fix that.


#3

Great feedback ! Thanks,

Yes, we work with CNAME. The goal here is the process being fully automated (we’re already using Ansible for the automation part)
We’re holding our client DNS zone for majority of them, but for few of them, they are responsible for that.

For http-01 validation method, is the path predictable/always the same ? What would you recommand as a valdiation method for our use case, (automation in mind).

Previously we didn’t support SSL, so our vhost is just a wildcard listening to all traffic incoming (nginx).


#4

The path for http-01 is always http://example.com/.well-known/acme-challenge/{random_token}. You can refer to the ACME specification for more details.

I think http-01 would be your best option. tls-sni-01 would also fit, but is harder to implement and doesn’t really have any advantages in your use-case. dns-01 would require manual intervention (adding a new TXT record) for clients that manage their own DNS every 90 days.

You might also want to look at https://caddyserver.com/ as an alternative web server which automatically handles Let’s Encrypt for you in the background and could be a good fit. Performance is similar to nginx and it can do most of the things people use nginx for reasonably well.


#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.