Multiple sub domains and issuance rate limit


#1

We are a government organization hosting websites for government websites. Our domain is mizoram.gov.in and under this domain, we are hosting around 180 subdomains, for example dict.mizoram.gov.in, msegs.mizoram.gov.in.

We weren’t aware of the rate limit last week (8th September 2016), so we generated 20 certificates for 20 sub domains under mizoram.gov.in, then we reach the issuance limit. Later, I found that we can generate one certificate for multiple sub domains. So here’s my questions.

  1. Since, it’s already Monday (2016-09-12), as per documentation my issuance limit should be reset now and I should be able to generate more certificate under mizoram.gov.in, but I am still getting issuance limit message when I tried to generate single certificate for multiple subdomains. Did I miss anything here, please help?

  2. Each of our subdomains are hosted under different directories and they are independent of each other. The directory structure is something like for example
    mizoram.gov.in => /home/mizgov/public_html
    dict.mizoram.gov.in => /home/dict/public_html
    msegs.mizoram.gov.in => /home/msegs/public_html
    What is the correct way of generating single certificate for these subdomains and directories?

  3. To use staging environment, i just added --test-cert parameter to the command, is this sufficient?

Thank you.


#2

The rate limit is implemented as a rolling window. Basically what Let’s Encrypt does is look at certificates issued in the past 7 days, and if that count exceeds 20, you’ll get a rate limiting error (unless it’s a renewal - a certificate with a list of hostnames that matches a certificate you’ve previously requested). In other words, if all your certificate were issued on September 8th, you’ll be able to issue additional certificates on September 15th (at the precise time you issued the first certificate).

That would depend a bit on how you obtained the certificates. If you’re using certbot with the apache plugin, I believe putting each domain in a separate <VirtualHost> and then running certbot --apache -d example.com separtely for each domain should work. If you’re using the webroot plugin, it would work similarly, you’d run something like certbot certonly --webroot -d example.com -w /path/to/document_root for each domain.

(I assume by “single certificate” you mean one certificate per domain.)[quote=“sad.msegs, post:1, topic:19762”]
To use staging environment, i just added --test-cert parameter to the command, is this sufficient?
[/quote]

Yes.


#3

I think instead @sad.msegs wishes to obtain one certificate with many SANs in it, in order not to keep tripping the rate limit. By putting even just a dozen names in each certificate, they will be able to complete all their securing in one week’s time, a great success, rather than it taking eight more weeks, with twenty certificates per week containing one name.

So in this case the invocation would be something more like:

certbot certonly --webroot -w /home/msegs/public_html -d msegs.mizoram.gov.in 
-w /home/dict/public_html -d dict.mizoram.gov.in -w /home/cocacola/public_html -d cocacola.mizoram.gov.in

I have provided only three names, each with a different path, you might do this ten times, or fifty times, without trouble, although on some systems you may need to consult the OS vendor if you can’t enter the whole command at once due to its great length.

ie in each case you would use -w to specify a webroot, then -d to specify the associated domain name


#4

@pfg thank you for your explanation.
Regarding the rate limit, I am quoting the documentation below, that’s why I thought I could generate again on Monday.

We use a sliding window, so if you issued 10 certificates on Monday and 10 more certificates on Friday, you’ll be able to issue again starting Monday. (https://letsencrypt.org/docs/rate-limits/)

@tialaramex That’s exactly what I need. Since we are trying to moving to letsencrypt certificate from paid certificate, we need to generate bulk certificate in a very short period. In the future 20 subdomain per week will surely be sufficient as we are not going to generate more than 20 in a month time.
Thank you @tialaramex.


#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.