That’s a problem with Plesk and their extension. You should open a ticket with them.
The LetsEncrypt ACME server limits certificates to having 100 domains vis SubjectAlternateName. Most certificate authorities cap the number of domains on a single cert anywhere from 25 to 100. I don’t know of anyone who offers more than 100 domains on a single certificate.
It was a bad idea in the first place to put so many aliases to one domain. Every CA has an upper limit, just as every application and TLS library. So some of your clients will have trouble connecting to your server, even if you manage to get a certificate with your 600+ SANs.
If you are using a commandline, then you can request 6 or more certificates - each with your domains bundled into bunches of 100 or less - and configure your web server to handle this.
As myself and others have noted:
• There is a well known 100 domain limit on SANs – which is one of the highest in the industry
• Using many multiple domains in SANs has negative effects on performance
• Using many multiple domains in SANs has negative effects on clients, and may be incompatible with some
The problem isn’t with LetsEncrypt, it’s with your server setup. You are trying to do something incredibly non-standard in multiple ways.
If I recall correctly there is a hard limit to the allowable size of a certificate from TLS itself. I seem to recall that limits the number of SANs you can have on a cert to around about 500, unless they’re all very short SANs.
In any case there are two main options for doing more domain names. One is a wildcard cert, the limitation being that it only works for subdomains for a single given domain. The other (more flexible) soltuon is to use a TLS termination mechanism which supports Server Name Inclusion (SNI) and provision it with 600 certs.
Let’s Encrypt do not issue wildcard certificates at this time. SNI is typically how this kind of problem is solved.
For instance if your http server doesn’t support this then either get a new one (like caddy), use nginx or haproxy as intermediaries, or use a TLS termination service in front of your server (e.g. backplane or cloudflare - although cloudflare is expensive and they charge per domain iirc).
I believe the TLS size limit is about 8 megabytes. Clearly we don’t want to issue certificates that large, for a number of reasons. We have to draw the line somewhere, and we think 100 is a pretty reasonable balance. As others have said in this thread, higher than that and you should be using software that supports SNI.
As an alternate, less preferable option, you can assign issue six certificates, and serve them on six different IP addresses. It sounds like all six hundred of your hostnames are served by the same host, so this would involve having six interfaces on that host, each with a different IP. That may be easy or hard depending on how your machine is configured.
It took us two full days to change everything, but we did this:
Before we got 499 aliasses to one domain, we changed this to 50 domains, with the root map on the domain everything points to before.
We changed all of our aliasses to these 50 domains (9 aliasses per domain)
We added 50 certificates with 10 domains per certificate
Took a lot of time, but when I take a look to your comments, it was the best solution for us. Now we don’t lower our SSL power (eva2000) and when we add new domains, we make a certificate per 10 domains (which is the easiest for us).
Again, thanks for all of your replies and help, happy to see there is such an active community here.