How many wild card domains per certificate

Hi
We are planning to start using Letsencrypt to issue SSL certificate for all our client domains which is approximatelt 150 now. Due to our app requirement we need to have wild card certificates for these domains. Is the rate limit of 100 domains per certificate applicable in this case also. ie can I have 100 wild card domains in a single certificate?.
Asking this to estimate the AWS charges as we are using AWS Elastic Load balancer and the classic load balancer that we use supports only one certificate per Load Balancer.
If Letsencrypt supports 100 wildcard domains per cert then I can serve 100 domains with a single load balancer and start another for the next 100
Regards
Jayakrishnan

All 100 names can be wildcards.

But since a wildcard like *.example.com applies to https://abc.example.com/ but not https://example.com/, your certificates might need to look like:

  • example.com
  • *.example.com
  • example.net
  • *.example.net

In that case, the limit of 100 names per certificate, using 2 names per domain, means one certificate only includes 50 different domains.

3 Likes

@mnordhoff
Thank you very much for the quick response… Noted the point on the TLD.
Thanks & Regards

Hi
I have another issue now… Tried a mix up of wildcard and non-wildcard like the example below

/opt/scripts/certbot-auto certonly --manual -d .example.net,.anotherexample.in test.yetanotherexample.com test1.yetanotherexample.com test2.yetanotherexample.com test3.yetanotherexample.com test4.yetanotherexample.com test5.yetanotherexample.com test6.yetanotherexample.com test20.yetanotherexample.com test21.yetanotherexample.com test22.yetanotherexample.com test23.yetanotherexample.com test24.yetanotherexample.com test25.yetanotherexample.com test26.yetanotherexample.com --server https://acme-v02.api.letsencrypt.org/directory

When this is tried I am asked to manually create the webroot challenge file and fill the validation data like shown below for each of the subdomains

Create a file containing just this data:

_yh0v0iVqHxdL9426M-V2QlJCigSr4LmqvlcPivVBSQ.T4_f-HExlMQs3uhNzXkF7oKYrEeLLy9Nxm_3re1ilGs

And make it available on your web server at this URL:

http://test6.yetanotherexample.com/.well-known/acme-challenge/_yh0v0iVqHxdL9426M-V2QlJCigSr4LmqvlcPivVBSQ


Is this normal or anyway to automate this… Sorry if the question is foolish
Regards
JK

Yes, it's perfectly normal if you're using the manual authenticator. If you want to automate it, use a different one, like webroot. However, you need to specify the DNS challenge if you want a wildcard cert, which is (as the name suggests) going to require that you update your DNS records for every challenge.

@danb35
Thank you very much for the input, but issuing certs for wildcard subdomain mandates DNS based authentication ?
If its normal I will have to manually create all those files(26 files here). ?

Yes.

Only if you use the manual validator. Most people don't use that; they use either standalone or webroot--the former runs as a self-contained web server to serve the appropriate challenge responses, while the latter creates the challenge files and puts them into the directory you specify. Either of those will work fine for anything other than a wildcard cert.

To validate a wildcard, as I said above, you need to use DNS records. You need to create a TXT record for _acme-challenge.yourdomain with the challenge token as its contents. This is really only practical if your DNS host has an API that allows for automated updates, and is better supported with some of the alternative clients (like acme.sh) than it is with Certbot.

@danb35 Thank you very much… with the wild card domains alone its working fine… I just have to make the DNS entry once… re-issues also seems to use the same entry for validation, probably within a time frame.
But when there is a mix up of wild card sub-domains and selected few ones, is there any way the webroot validation can be automated ?

Asking this because it certbot clearly specifies the validation methods as below
Do you want to expand and replace this existing certificate with the new
certificate?

(E)xpand/©ancel: E
Renewing an existing certificate
Performing the following challenges:
dns-01 challenge for example.in
dns-01 challenge for anotherexample.net
http-01 challenge for test1.yetanotherexample.com
http-01 challenge for test24.yetanotherexample.com
http-01 challenge for test25.yetanotherexample.com
http-01 challenge for test5.yetanotherexample.com
http-01 challenge for test.yetanotherexample.com
http-01 challenge for test2.yetanotherexample.com
http-01 challenge for test20.yetanotherexample.com
http-01 challenge for test21.yetanotherexample.com
http-01 challenge for test22.yetanotherexample.com
http-01 challenge for test23.yetanotherexample.com
http-01 challenge for test26.yetanotherexample.com
http-01 challenge for test3.yetanotherexample.com
http-01 challenge for test4.yetanotherexample.com
http-01 challenge for test6.yetanotherexample.com

Yes, I think the timeframe is 7 days. After that time, you'd need to update the record. Once the validation is done, you can remove the record, and generally should.

I didn't believe it was possible to combine validation methods in a single cert, but the output you post below suggests otherwise.

@danb35 Thank you…
Will be careful to remove the entries after usage…
The mixed up one is our requirement… in case if the webroot part cannot be automated it would be cumbersome to renew… as our plan is to accommodate maximum number of entries possible in a single certificate
This would be problematic even for the case where *.example.com and example.com has to be accommodated in a single certificate I fear…because for 50 tld’s I will have to create 50 files :sweat:

If you're having to do any of this manually, you're doing it... well... if not exactly "wrong", certainly not optimally. The whole point of the client software is that the issuance and renewal are automated

The most recommended way is to use a DNS provider API so that you can use DNS challenges for all of the names.

If you do want to do the DNS challenges manually, you can use --manual and write a shell script that you run with --manual-auth-hook which does the HTTP-01 ones automatically and prompts you for the DNS-01 ones.

@danb35 Thank you… understood the point… manual creation of files is not practical especially when there are many… will try the option that @schoen suggested…
Thank you @schoen :+1:
So as I understood even if the DNS validation for wildcard subdomains is not automated the HTTP-01 validation can be automated. Not quite sure about automating DNS as the domains might be from different registrars as we do not have any control over which one the client uses or used
Regards
JK

For what it’s worth, the client acme.sh supports using different validation methods for different names in the same certificate.


You can also ask your clients to create a delegation or CNAME pointing their _acme-challenge record at DNS servers you control. For example:

_acme-challenge.example.org. CNAME example.org.acme.example.net.

You’d have to explain that one step to them, but then you could use automated DNS validation in the future without further work from them.

Hi @mnordhoff That’s great info… sorry for not doing proper research…
Will try this and update… This community is great… :+1:

Sorry, I didn't catch the idea that you might be doing this for customer domains. In that case you could also ask customers to create a CNAME from _acme-challenge under their domains to a similar resource on a domain that you control, and then automatically check with a script whether they've done so. If they have, then you can directly use the DNS-01 challenge by updating records on your own domain to issue certificates, including wildcard certificates, for the customer domain that's set the CNAME.

@schoen Thank you very much…
That was put before seeing @mnordhoff 's comment. I could successfully do the DNS validation with the method suggested though manually. Will try to automate it using the certbot-dns-route53 plugin as I am using Route53 for the domain under my control… thank you…
Will update after testing…

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.