I have a unique use case I’d like some opinions on. I work for a large company that has collected several thousand domain names over the years. Most of those domain names are setup on a common web server that simply redirects the user to a different domain name where a real website exists. We would like to provide TLS certs on all of those domain names.
The idea is to run an Apache setup with a vhost per domain that does the necessary redirects, and have certbot manage LetsEncrypt certificates for those domains.
My concerns are:
What do you think of that setup?
If I wanted some kind of redundancy on the redirect web server, how is that typically managed with LetsEncrypt certs? Shared volume to store the certs and only 1 server running the certbot process?
I’m also open to any other suggestions to try and solve this problem.
If there is essentially no difference in the redirections [between domain1.com and domain2.com], then they can be in the same vhost and in the same cert: servername so.many.domains serveralias domain1.com www.domain1.com serveralias domain2.com www.domain2.com
… serveralias domain49.com www.domain49.com
This would greatly reduce the number of required, and managed, vhosts and certs.
Note: One LE cert can hold 100 names maximum.
So, if each domain will be using root and www.root, then you could at most put 50 domains in one cert.
Would you suggest that each certificate get added by running certbot manually, and then let the auto renew take over from there?
How about if I wanted to load balance the apache server that holds the certs for redundancy purposes? I can’t seem to find a good tutorial that does this.