Multiple subdomains


#1

Hi,

The server i am using has mulitple domains on it and has 1 ipaddress.

Imagine the following situation:

On one domain i am using https / letsencrypt. If a visitor makes an account on that websites the visitor is getting automatically a subdomain: NEWUSER.domain.nl

Now i did:

./letsencrypt-auto --server https://acme-v01.api.letsencrypt.org/directory certonly --agree-tos --email ‘CONTACT@MYDOMAIN.NL’ --webroot --webroot-path ‘/home/MYUSERNAME/domains/MYDOMAIN.NL/public_html/’ -d MYDOMAIN.NL -d www.MYDOMAIN.NL --debug

But actually with subdomains Letsencrypt is saying that i have to add: “-d newuser.MYDOMAIN.NL” for every subdomain, right? But the subdomains are dynamically generated, so how i have to deal with that? Is there something like *.mydomain.nl (wildcard)?

And there is also a maximum on the amount of certificates you can generate…that will nog give problems in a situation like that?


#2

I’m not sure I understand fully.

Many servers host multiple domains ( or subdomains) on a single IP address. This is fine with https apart from old computers / operating systems that don’t support SNI ( so old windows XP and before, some old android phones).

You can have separate certificates for each domain / subdomain on your server if you want to, although as you say there are rate limits for the same domain and subdomains count towards that domain )

you say " If a visitor makes an account on that websites the visitor is getting automatically a subdomain: NEWUSER.domain.nl" so I assume you have some application that makes specific subdomains for them, and you could have many hundreds of subdomains ? is this correct ? and you presumably don’t know in advance the names of these subdomains ( since the user could define it possibly) ? If this is the case you may need a wildcard SSL cert. LE does not provide wildcard certificates, so LE would not be the best certificate provider for you.


#3

My server supports SNI, so that’s okay.

In the last paragraph you’ve got my problem. There can be indeed as many subdomains as users (and they are dynamically generated). I was already thinking of something like a wildcard, but i did not know that there are special wildcard certs.

Is Letsencrypt also planning to support wildcard certs in the future?


Lost account from letsencrypt - directories - keys - evething
#4

I think it unlikely that Letsencrypt will support wildcard certs in the future (although I have no connection to LE, so can’t say for certain). The key point is that LE needs to check ownership - and it can’t easily for a wildcard.


#5

Thanks!

And besides that problem. Now i do:

./letsencrypt-auto --server https://acme-v01.api.letsencrypt.org/directory certonly --agree-tos --email ‘CONTACT@MYDOMAIN.NL’ --webroot --webroot-path ‘/home/MYUSERNAME/domains/MYDOMAIN.NL/public_html/’ -d MYDOMAIN.NL -d www.MYDOMAIN.NL --debug

and all the domains has one ipaddress. If i want to use https / a certicate also on another domain on that server. Can i just do:

./letsencrypt-auto --server https://acme-v01.api.letsencrypt.org/directory certonly --agree-tos --email ‘CONTACT@MYDOMAIN.NL’ --webroot --webroot-path ‘/home/OTHERUSERNAME/domains/OTHERDOMAIN.NL/public_html/’ -d OTHERDOMAIN.NL -d www.OTHERDOMAIN.NL --debug

so i changed MYDOMAIN TO OTHERDOMAIN. Or do i have to put everthing in one “query”? And if yes…how can i add 2 different “–webroot-path” in one query?


#6

You can just add another --webroot-path /home/foo/bar -d foo.bar combination. You can add up to 100 hundered (sub)domains into one certificate. It doesn’t matter if it’s 100 domains on one single webroot-path or if it’s 100 webroot-paths with just one domain.


#7

By the way, I don’t see the problem here. Why just don’t generate a Let’s Encrypt certificate on the fly when the user registers? Or better: when the registration of the user has fully succeded.

There are many, MANY different clients for Let’s Encrypt out there (somewhere on this Community there’s a thread which has the purpose of making a list of all the clients out there). Even PHP driven ones.

Ofcourse, you should verify the code for yourself and check if you’re comfortable running it on your server. But if you are, you could easily include the whole “generate a certificate for every single new user” into the registration part.

Only one problem: how many users registerations do you have per 7 days? :stuck_out_tongue:


#8

Thanks for your first reply! And about your second reply…the last thing you said, is the problem indeed…

I also have some more questions about the renewal but i will put that later on in a new topic.


#9

I have exactly the same requirement and support the request for LE to develop wildcard subdomains as a feature. All DNS providers support wildcard subdomains and LE needs to reflect that fact. A subdomain is not a Domain !