Lots of certificate on one domain name (really a lot)


#1

On TuxFamily, a non-profit organization which provides free services for projects tied to free software and its community, we started using Let’s Encrypt for all the projects we are currently hosting.

We already generated certificates for about 250 domains which are our hosted own domain names, and it went pretty well. By the way, thank you very much, this would not have been possible without Let’s Encrypt, those are mostly tiny websites about non-profit organization or small project with low activity where having to manually manage the yearly renewal is out of the question.

But we would like to generate about 2000 certificates for all the domain names used on the tuxfamily.org domain we graciously provide to our users.

I recently noticed https://github.com/letsencrypt/boulder/issues/1348 was merged in, do you already know how much the certificatesPerName limit will be increased ?


#2

This won’t raise the rate limit (5 certs / week) for newly requested certificates. It will only raise the limit for renewal, so I don’t think it apply to you case.

If all this sites are managed by different users I think it could be reasonable to add tuxfamily.org to the Public Suffix List (PSL). This will bypass the rate limit. Be aware that being on the PSL change how cookies behave with regard to the domain tuxfamily.org. @weppos any thought ?


#3

Generally speaking, yes. However, I was not able to properly understand which kind of subdomains the user will get. When I click on any project link on the right, I always keep navigating under the main tuxfamily.org site. Moreover, if the site is hosted at tuxfamily.org, a rule that defined the subdomains as suffix will have to be submitted with an exception, otherwise tuxfamily.org will be ignored (this happens because ideally you should have tuxfamily.org hosted at www.tuxfamily.org or a subdomain, or even better provide user subdomains at a completely different domain rather than the primary one where the main site is hosted).


#4

Oh!, I didn’t know being in the PSL would “bypass” the limit, maybe I missed this point in the documentation, that’s a very good news.

Mostly websites using sub domains of tuxfamily.org, like http://project-name.tuxfamily.org or http://bugs.project-name.tuxfamily.org or https://wiki.project-name.tuxfamily.org, where “project-name” and “bugs.project-name” is being chosen by our users using the first come first served rule.

That’s a very good idea, I procrastinated doing the PSL pull request for too long. I don’t think a tuxfamily.org followed by !tuxfamily.org would be very welcomed in the PSL list, that’s a void statement. We don’t care about having cookies on the http://tuxfamily.org website, so tuxfamily.org without the exception is fine for us (and we can switch the main website to http://www.tuxfamily.org only if necessary).

@weppos: here it is:

Thank you very much :slight_smile: