Hi, We have one domain with 600 domainaliasses. The maximum allowed in one certificate is 100 aliasses. Is there a solution to get a certificate for all these domains? Thanks


#1

Please fill out the fields below so we can help you better.

My domain is:

I ran this command:

It produced this output:

My operating system is (include version):

My web server is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):Plesk


#2

You will need 6 or more certificates.


#3

But that isn’t an option. Currenly we have one FTP sign-in, and we have to move about 500 websites to let the certificatess work.

We can only upload one certificate in Plesk for a domain.


#4

That’s a problem with Plesk and their extension. You should open a ticket with them.

The LetsEncrypt ACME server limits certificates to having 100 domains vis SubjectAlternateName. Most certificate authorities cap the number of domains on a single cert anywhere from 25 to 100. I don’t know of anyone who offers more than 100 domains on a single certificate.


#5

Hi,

I don’t use their extention, I use the shell to request a new certificate.

It would be awesome if Let’s encrypt have a solution so we can use it further.
In a case we can use 600 domainaliasses, it wouldn’t be a problem to donate something for the service.


#6

See subjectAltName Certificates

It was a bad idea in the first place to put so many aliases to one domain. Every CA has an upper limit, just as every application and TLS library. So some of your clients will have trouble connecting to your server, even if you manage to get a certificate with your 600+ SANs.


#7

Figure out how to upload more then one certificate to your host or get a new one, and for each certificate have the same common name if you want then have each of the hundred SAN’s.


#8

you’d also lower ssl performance with the size of the ssl cert for 600+ domains

Probably better suited just dividing into 100 domains x 6 certs and use ECDSA 256 based SSL certs to reduce size

Or just get an SSL wilcard cert elsewhere - that’s what I do for my domains which have 120+ subdomains off them as Letsencrypt isn’t suited to all usage cases such as yours.


#9

If you are using a commandline, then you can request 6 or more certificates - each with your domains bundled into bunches of 100 or less - and configure your web server to handle this.

As myself and others have noted:
• There is a well known 100 domain limit on SANs – which is one of the highest in the industry
• Using many multiple domains in SANs has negative effects on performance
• Using many multiple domains in SANs has negative effects on clients, and may be incompatible with some

The problem isn’t with LetsEncrypt, it’s with your server setup. You are trying to do something incredibly non-standard in multiple ways.

LE hasn’t been doing feature requests for corporate sponsors, and they donate between 10k-350k each (https://letsencrypt.org/become-a-sponsor/)


#10

Use software that can load multiple certs on one port, e.g. HAProxy.


#11

If I recall correctly there is a hard limit to the allowable size of a certificate from TLS itself. I seem to recall that limits the number of SANs you can have on a cert to around about 500, unless they’re all very short SANs.

In any case there are two main options for doing more domain names. One is a wildcard cert, the limitation being that it only works for subdomains for a single given domain. The other (more flexible) soltuon is to use a TLS termination mechanism which supports Server Name Inclusion (SNI) and provision it with 600 certs.

Let’s Encrypt do not issue wildcard certificates at this time. SNI is typically how this kind of problem is solved.


#12

For instance if your http server doesn’t support this then either get a new one (like caddy), use nginx or haproxy as intermediaries, or use a TLS termination service in front of your server (e.g. backplane or cloudflare - although cloudflare is expensive and they charge per domain iirc).


#13

I believe the TLS size limit is about 8 megabytes. Clearly we don’t want to issue certificates that large, for a number of reasons. We have to draw the line somewhere, and we think 100 is a pretty reasonable balance. As others have said in this thread, higher than that and you should be using software that supports SNI.

As an alternate, less preferable option, you can assign issue six certificates, and serve them on six different IP addresses. It sounds like all six hundred of your hostnames are served by the same host, so this would involve having six interfaces on that host, each with a different IP. That may be easy or hard depending on how your machine is configured.


#14

You can serve multiple certs on a single IP address.


#15

Except clients that don’t support SNI (xp, and a surprising number of mobile devices) won’t work with any domains not on the default certificate for the ip.


#16

Thanks for all of your help.

It took us two full days to change everything, but we did this:

  • Before we got 499 aliasses to one domain, we changed this to 50 domains, with the root map on the domain everything points to before.
  • We changed all of our aliasses to these 50 domains (9 aliasses per domain)
  • We added 50 certificates with 10 domains per certificate

Took a lot of time, but when I take a look to your comments, it was the best solution for us. Now we don’t lower our SSL power (eva2000) and when we add new domains, we make a certificate per 10 domains (which is the easiest for us).

Again, thanks for all of your replies and help, happy to see there is such an active community here.


#17

Correct. I may not have made it clear, but I was proposing an alternate in case requiring SNI was unacceptable.

@DonFrank, glad you’ve solved the problem!


#18

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.