Limits in Public Suffixes List

Hello,

I would to clarify about the way how Let’s Encrypt interacts with public domains that belongs to Public Suffixes List.
If I let’s say have my enterprise domain mydomain.com and I would like to have shared subdomain for my customers apps.mydomain.com, for example.
Then my customers are running their own apps by urls
https://customer-one.apps.mydomain.com
https://customer-two.apps.mydomain.com
https://customer-three.apps.mydomain.com
The domain apps.mydomain.com is added to PSL respectively so they are considered as independent enteties.
Basically the question is:
Will my customers be able to issue their own LE certificates for their websites (like customer-one.apps.mydomain.com) if the number of issued certificates have already reached its limit for the base domain mydomain.com ?
Thank you in advance!

1 Like

I’m not quite sure how your base domain would affect, but from the rate limit determination of *.apps.mydomain.com, each of the subdomains are considered as a “new domain” for rate limit purpose. (So you can imagine your apps.mydomain.com would effectively become something similar to a domain extension)

Example:

1.apps.mydomain.com’s rate limit will not appear on 2…apps.mydomain.com.

However, if these apps are hosted on your server, maybe you want to consider getting a wildcard certificate for all subdomains of apps.mydomain.com?

2 Likes

Yes, they will each have their own rate limits.

There is something you need to keep in mind, though: you won’t be able to get a certificate for apps.mydomain.com – it would be just like asking for a certificate for .com. I don’t know how this applies to mydomain.com.

So you should probably register a second domain myuserapps.com and put that one in the PSL.

2 Likes

@9peppe Thank you for your replies here, they helped me also. I just wanted to point out that according to this Wildcard certificates and Public Suffix List you can issue a LE certificate for a domain that’s in the private section of the Public Suffix List, just not for one in the ICANN section (.com, .org, etc.). So, unless something has changed since @jsha’s reply in that post, @jacky.jones should be able to get a certificate for apps.mydomain.com.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.