Is it possible to get a cert for a domain with more than 10 labels?

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: she-ll.be.coming.round.the.mountain.o.t.rdns.peterjin.org

I ran this command: certbot certonly -d she-ll.be.coming.round.the.mountain.o.t.rdns.peterjin.org

It produced this output: Domain name has more than 10 labels (parts)

My web server is (include version): nginx

The operating system my web server runs on is (include version): Linux

My hosting provider, if applicable, is: n/a

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):0.40.0

This error is from Boulder, the Let's Encrypt CA software. I suppose that Let's Encrypt staff can say if they have some specific reason to set the limit at ten, the code I read did not offer any reason. But since it's the CA backend, I can tell you that it will not be possible to obtain such a certificate from Let's Encrypt unless they change the software.

1 Like

Although Let's Encrypt won't issue certificates with more than 10 labels (for whatever reason), you can still get one from aother ACME CA.

ZeroSSL is one that I know will allow more than 10 labels. There's just a little bit of extra work, which is to sign up for a free account (to get your "EAB credentials") and pass some extra flags to Certbot:

--server 'https://acme.zerossl.com/v2/DV90' \
--eab-kid 'YOUR_EAB-KID' \
--eab-hmac-key 'YOUR_EAB-HMAC-KEY'

I would guess that Let's Encrypt probably isn't going to remove this restriction, as it's only really affecting novelty domains.

3 Likes

I'd still be curious what the reasoning was behind the seemingly arbitrary limit in Boulder.

1 Like

One of our software engineers may have a more definitive answer, but: One reason is to avoid excessive DNS queries when traversing a very deep hierarchy to check for CAA records.

4 Likes