Is it possible to get a cert for a domain with more than 10 labels?

phjarea217 · November 20, 2020, 3:10am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: she-ll.be.coming.round.the.mountain.o.t.rdns.peterjin.org

I ran this command: certbot certonly -d she-ll.be.coming.round.the.mountain.o.t.rdns.peterjin.org

It produced this output: Domain name has more than 10 labels (parts)

My web server is (include version): nginx

The operating system my web server runs on is (include version): Linux

My hosting provider, if applicable, is: n/a

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):0.40.0

tialaramex · November 20, 2020, 3:24am

This error is from Boulder, the Let's Encrypt CA software. I suppose that Let's Encrypt staff can say if they have some specific reason to set the limit at ten, the code I read did not offer any reason. But since it's the CA backend, I can tell you that it will not be possible to obtain such a certificate from Let's Encrypt unless they change the software.

_az · November 20, 2020, 3:55am

Although Let's Encrypt won't issue certificates with more than 10 labels (for whatever reason), you can still get one from aother ACME CA.

ZeroSSL is one that I know will allow more than 10 labels. There's just a little bit of extra work, which is to sign up for a free account (to get your "EAB credentials") and pass some extra flags to Certbot:

--server 'https://acme.zerossl.com/v2/DV90' \
--eab-kid 'YOUR_EAB-KID' \
--eab-hmac-key 'YOUR_EAB-HMAC-KEY'

I would guess that Let's Encrypt probably isn't going to remove this restriction, as it's only really affecting novelty domains.

rmbolger · November 20, 2020, 4:29am

I'd still be curious what the reasoning was behind the seemingly arbitrary limit in Boulder.

JamesLE · November 20, 2020, 4:57am

One of our software engineers may have a more definitive answer, but: One reason is to avoid excessive DNS queries when traversing a very deep hierarchy to check for CAA records.

Topic		Replies	Views
DNS identifier has too many labels Help	11	934	May 12, 2024
Hi, We have one domain with 600 domainaliasses. The maximum allowed in one certificate is 100 aliasses. Is there a solution to get a certificate for all these domains? Thanks Help	17	9955	September 12, 2016
Applying more than 100 domains? Help	18	7245	December 17, 2016
Error creating new order too many certificates already issued for Help	2	1537	March 24, 2022
The request exceeds a rate limit) (Error creating new order :: too many certificates (5) already issued for this exact set of domains in the last 168 hours: Help	7	853	October 10, 2023

Is it possible to get a cert for a domain with more than 10 labels?

Related topics