Large scale LetsEncrypt deployment in the cloud


#1

Hi,

I am provisioning 1000 servers on AWS and I need to have LetsEncrypt certificates on every node. I do not see that this is possible with current LetsEncrypt setup.

Reasons:

  • Rate limit:

The main limit is Certificates per Registered Domain , (50 per week). A registered domain is, generally speaking, the part of the domain you purchased from your domain name registrar. For instance, in the name www.example.com , the registered domain is example.com . In new.blog.example.co.uk , the registered domain is example.co.uk . We use the Public Suffix List to calculate the registered domain.

  • Validation methods

I do not want (and not allowed) to leak out anything to 3rd parties, meaning that verification cannot live in DNS. I would be ok to use the HTTP way of verification if I could limit the verification only to LetsEncrypt servers. Does anybody know what is their IP range?

What do other people do when need to have a large amount of certs from LetsEncrypt? Should I just purchase a CA and issue my own certs instead?

Thanks in advance.


#2

No, you can’t do that - https://letsencrypt.org/docs/faq/#what-ip-addresses-does-let-s-encrypt-use-to-validate-my-web-server

Keep reading that page, you’ll see that you can apply for a rate limit exemption for an ACME account and Registered Domain. Many large integrators do this.


#3

Hi @l1x

do you have one domain? Isn’t it possible to create one certificate and deploy that?


#4

I guess this is what we are going to implement.


#5

What do you mean by that? Validation information isn’t sensitive.


#6

Also, remember that Let’s Encrypt certificates (and now all publicly-trusted CAs’ certificates) are all made public

https://crt.sh/?Identity=example.com

If you’re not allowed to disclose the hostnames at all, you would need to use a wildcard certificate or a non-publicly-trusted CA.


#7

Still, I am not sure why it is worth to let the world know what we are doing. I could very well setup ACLs that limit the access of verification for the IP ranges os LetsEncrypt infra without giving access to the same resource to the rest of the planet.


#8

Thanks, we are going to go with wildcard certificates.


#9

Yep, that is how we will sort this out.


closed #10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.