I have a unique use case I’d like some opinions on. I work for a large company that has collected several thousand domain names over the years. Most of those domain names are setup on a common web server that simply redirects the user to a different domain name where a real website exists. We would like to provide TLS certs on all of those domain names.
The idea is to run an Apache setup with a vhost per domain that does the necessary redirects, and have certbot manage LetsEncrypt certificates for those domains.
My concerns are:
- What do you think of that setup?
- If I wanted some kind of redundancy on the redirect web server, how is that typically managed with LetsEncrypt certs? Shared volume to store the certs and only 1 server running the certbot process?
I’m also open to any other suggestions to try and solve this problem.
you can add one certificate per vHost. So create one certificate per domain with www + non-www and add this.
The only limitation. One account can create 300 orders in 3 hours.
For users of the ACME v2 API you can create a maximum of 300 New Orders per account per 3 hours.
So perhaps split it. Max. 200 new certificates per day, then a later renew should work.
If there is essentially no difference in the redirections [between domain1.com and domain2.com], then they can be in the same vhost and in the same cert:
serveralias domain1.com www.domain1.com
serveralias domain2.com www.domain2.com
serveralias domain49.com www.domain49.com
This would greatly reduce the number of required, and managed, vhosts and certs.
Note: One LE cert can hold 100 names maximum.
So, if each domain will be using
www.root, then you could at most put 50 domains in one cert.
Would you suggest that each certificate get added by running certbot manually, and then let the auto renew take over from there?
How about if I wanted to load balance the apache server that holds the certs for redundancy purposes? I can’t seem to find a good tutorial that does this.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.