Is it possible to get a cert for a domain with more than 10 labels?

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g., so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command: certbot certonly -d

It produced this output: Domain name has more than 10 labels (parts)

My web server is (include version): nginx

The operating system my web server runs on is (include version): Linux

My hosting provider, if applicable, is: n/a

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):0.40.0

This error is from Boulder, the Let's Encrypt CA software. I suppose that Let's Encrypt staff can say if they have some specific reason to set the limit at ten, the code I read did not offer any reason. But since it's the CA backend, I can tell you that it will not be possible to obtain such a certificate from Let's Encrypt unless they change the software.

1 Like

Although Let's Encrypt won't issue certificates with more than 10 labels (for whatever reason), you can still get one from aother ACME CA.

ZeroSSL is one that I know will allow more than 10 labels. There's just a little bit of extra work, which is to sign up for a free account (to get your "EAB credentials") and pass some extra flags to Certbot:

--server '' \
--eab-kid 'YOUR_EAB-KID' \
--eab-hmac-key 'YOUR_EAB-HMAC-KEY'

I would guess that Let's Encrypt probably isn't going to remove this restriction, as it's only really affecting novelty domains.


I'd still be curious what the reasoning was behind the seemingly arbitrary limit in Boulder.

1 Like

One of our software engineers may have a more definitive answer, but: One reason is to avoid excessive DNS queries when traversing a very deep hierarchy to check for CAA records.