First off, I've use LetsEncrtypt on every site I've developed and it's been marvellous! Thank you, LetsEncrypt!
I got this email from Google this morning:
Starting October 2017, Chrome (version 62) will show a “NOT SECURE” warning when users enter text in a form on an HTTP page, and for all HTTP pages in Incognito mode.
So, I need to install SSL certificates for 150+ unique subdomains that my work host. We don't have access to the main domain. For instance, I want to secure:
subdomain.domain.com
but I don't have access to:
domain.com
Is it possible to use LetsEncrypt for my scenario? I've read up on the Rate Limits, and I'm a little unsure in regards to the Public Suffix List. Do we need to have access to the main domain?
Yes, it’s possible to make certificates for 150 (or some other number) of subdomains. You would only have to validate the main domain if you wanted a certificate for the main domain.
Since a certificate can include 100 names, you can do this with two certificates, so the rate limits would be no problem.
However, if you want to add and remove subdomains frequently – i.e. more than 20 times per week – that would run into rate limit problems.
That’s great news! I wasn’t too clear about it in the OP, but would the same still be true if the subdomains were all from different domains? For example:
A certificate can contain up to 100 names. They can be from 1 domain, or 100 domains, or anything in between.
The rate limits are largely per domain. While the Certificates per Registered Domain limit is (by default) 20 per week, there’s no problem issuing certificates for thousands or millions of different domains.
For rate limit management, it can be best to use 1 certificate per domain.
You mentioned public suffixes… Are your domains on the public suffix list? Will they be? It will influence rate limits (e.g. 20 certificates for subdomains of “foo.example.com”, 20 for subdomains of “bar.example.com”, &c, instead of just 20 for all subdomains of “example.com”). But that doesn’t matter if you weren’t going to issue many certificates anyway, and it doesn’t have an effect on validation.
Hopefully this is clear from @mnordhoff's answer, but this case is actually treated much more leniently by the Let's Encrypt rate limits, because the CA assumes that these are for "different entities" in some sense. So they are limited less than the other case. You are still allowed to cover them with the same certificate, if you want, up to 100 names in one certificate. Or they can be separate certificates if you want to do it that way.
If other people (not you) are also getting Let's Encrypt certificates for other subdomains of these domains, then that could potentially affect your ability to get these certificates because of rate limit interactions.
Hi @schoen, I work with @kingsloi - this sounds like it might be exactly what we need. One more specific question to our setup - I’d like to install the cert on our AWS elastic load balancer. So my vision for this would be basically two LetsEncrypt certs with ~100 sub domains on each. What I think we’d have to do next is setup one ELB for each cert. But AWS ELB does not support SNI though - so is that really the road block we’ll have to get around?