Need Certificate for 200 Domains


#1

Currently i am having 200 domains and i need certificate for them.

Currently facing an error :
Error: urn:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new authz :: Too many currently pending authorizations.

kindly support.


#2

What script / command are you using ? You shouldn’t have lots of pending authorizations usually.

Ideally you want to complete those which are pending.


#3

@serverco hit the nail on the head when they mentioned that this is generally indicative of a misbehaving client. You shouldn’t hit the pending authz limit under normal circumstances. Can you share more information about your setup?

If you can’t complete the pending authorizations you may want to consider explicitly deactivating them.


#4

@priya, did you need all 200 domains to be mentioned in a single certificate? I believe Let’s Encrypt has a limit of 100 domains per certificate (though it’s possible to get multiple certificates which together cover more than 100 numbers).


Best practices for 20,000+ domain setup? (High density environment)
#5

I am using this command :
./letsencrypt-auto --agree-dev-preview --server https://acme-v01.api.letsencrypt.org/directory certonly --standalone-supported-challenges tls-sni-01 -v


#6

What are the steps to get multiple certificates which covers more than 100 domains and how we can configure them into tomcat (server.xml) file ?

and is there any way to get all the domains into the single certificate ?


#7

I think you can not issue more than 100 SSL within a week, there are some limitations in it.


#8

@chuzde, the rate limits are all described at https://letsencrypt.org/docs/rate-limits/.

@priya, I’m not familiar with Tomcat configuration, but maybe someone else can help you with that. Depending on what kinds of clients are accessing your services, it may be perfectly fine to have separate certificates because modern clients indicate what name they’re attempting to connect to via SNI, and then the server can choose an appropriate name on that basis. Only some older clients have trouble with this.

Getting multiple certificates should just involve repeating the process that you originally used to get your first certificate, but with different names.


#9

Hi Priya

To be honest LetsEncrypt doesn’t always work for every situation and this may be one of those

A) Think about using DNS rather TLS challenges
B) Consider the effort required to renew 200 certificates
C) Time and effort required to programmatically allow 200 authorizations.

Depending on what your time frames you may need to look at alternatives such as a wildcard certificate from a CA who can issue these.

Remember Tomcat is a java application and requires the certs to be in the Java Key store so every 90 days you will need to reimport the certificate and I believe restart Tomcat.

A wildcard certificate can be issued for up to 3 years meaning you will only need to import the certificate once.

I do understand this is a Let’s Encrypt forum but I always believed in understanding strenghts and weaknesses of various technologies and applying the correct solution to the problem at hand


#10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.