Maximum number of sites on one certificate


#1

I’ve gotten Let’s Encrypt installed on my server, and we host roughly a dozen sites (which include subdomains and aliases like www). At this point we’re running under the procedure where we sign all of our sites with one certificate and then serve that certificate to all sites (this is because they all run through the same nginx configuration). Unfortunately, it looks like only the first 5 sites we sign are actually getting onto the certificate - is this a bug with the client we’re using (letsencrypt.sh), or is it a Let’s Encrypt policy? The output shows all of our sites appear to be successful.


#2

As an example, here is the first site we signed, and here is a site after the 5. I’ve turned off CloudFlare temporarily so the certificate issue would bleed through.


#3

You can have 100 alternate domains on a certificate, however there is a limit of 5 certificates per domain per 7 days ( which is the limit you are hitting)


#4

Hi @iggyvolz, when I connect to those sites I’m still seeing CloudFlare certs so I don’t actually see the nature of what was issued in Let’s Encrypt (I guess we could also look on crt.sh to find it sooner).

The issuance limit is set to 100 names per cert, not 5, so I don’t know of any reason that you couldn’t get a dozen sites included in your Let’s Encrypt certs. I believe that other organizations are getting them successfully.

The rate limits are described at


#5

I suspect the 5 limit is for one domain/7 days limit … for example https://crt.sh/?q=komok.yingatech.com&iCAID=7395 where 5 certs have been issued within the last week.


#6

Ah, I guess that could be the reason here!


#7

So if I’m understanding this correctly - the issue is now with adding new domains, but the fact that I signed the original domain (komok.yingatech.com) too many times? I’ve used one single script to sign all the sites that I have, and I was toying with it a bit (add a site to the script, check if it worked, etc) so I think I went over the limit. That normally won’t be a problem.

(By the way I’ve re-enabled CloudFlare, so the above links are no longer encrypted to the user with Let’s Encrypt).


#8

Your understanding is correct, yes.


#9

Okay, thank you! I’ve got 2 days left to wait until the 7 days are up, after that hopefully everything will work!


#10

Everything is good, waiting 7 days fixed the problem. Thank you for your help!