Include server IP Address for the main web server helps with non SNI Browsers?

Sometimes we have dozens of websites, but one has lot more traffic than the others.

Is possible to use the IP server together with the top traffic when creating a Let’s Encrypt cert to help minimize the impact on non SNI browsers and OS’s?

I have one case where a server has 5 domains, one with 20k page views per day, and the others together don’t have 1k PER MONTH! So makes sense to include IP as part of the main CERT.

I've found this response from LE engineer:

Let’s Encrypt only issues certificates for DNS names, not IP addresses.

I’m a bit confused by your description though, why would a certificate for a IP address help with non-SNI clients? Would you tell those clients to access your server by IP address?

If a client doesn’t support SNI, web servers generally pick the default certificate (for example on nginx, that would be the certificate specified for the default server). As long as your default certificate includes the domain with the most hits (i.e. the one you care most about), that one should continue to be served for non-SNI clients.

Depending on how many domains per IP/server we’re talking about here, you could also just create SAN certificates where you use the same certificate for all your domains (up to 100). This would not require SNI support. The client supports this by passing multiple -d arguments.


Thank you! Your reply lights up my mind a little bit!

1 Like