Over 400 Subdomains - Wildcard or Multiple Certificates?

I got wonderful help in this forum last year and now I’m back.

I’ve figured out previously how to set up a single certificate to handle a group of my subdomains. So

bellaonline.com
www.bellaonline.com
birding.bellaonline.com
quilting.bellaonline.com

and so on.

But I’m finally trying to get a certificate to handle all 400+ sites and it chokes, saying it can only handle 100 at a time. When I try to create multiple certificates, each having 90 URLs on it (with a manual comma-separated list) it gives errors when I go to those pages, saying:

This server could not prove that it is cats.bellaonline.com ; its security certificate is from bellaonline.com . This may be caused by a misconfiguration or an attacker intercepting your connection.

How do I create multiple certificates on the same server all associated with bellaonline.com in a way that they don’t interfere with each other?

Or is there a way just to put in *.bellaonline.com (which was my initial hope) and have that be set?

Thanks in advance!

1 Like

Hi @lisashea

you can create a wildcard certificate. Then only one certificate is required.

Create one with both domain names:

bellaonline.com
*.bellaonline.com

But: Wildcard certificates -> dns validation is required. So your dns provider should support an API and you should use a client that supports that API.

Or you use --manual, that should always work -> but there is no automation.

Check

1 Like

Do you know why they are interfering with each other? Can you tell us more about your environment, and how the web server is configured?

With most ACME clients, it’s easy to make 4-5 certificates. With most web servers, you can easily configure multiple virtual hosts, each with a different certificate, and with the applicable list of subdomains.

For both ACME clients and web servers, the process is usually about the same as setting things up once, except you repeat it a few more times. :smiley:

(Unless you have multiple IP addresses, clients must support the SNI extension, which was standardized in 2003, and is almost universally relied on today.)


Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

I’m confused by the Virtual Host part. I’ve been running my own websites since 2002, always on IIS / Windows, and I have to admit the intricacies of secure servers are baffling to me.

I have multiple sites set up in IIS. They are:
bellaforums - my forum lives in its own area
bellaonline - the main site bellaonline.com
bellaonlineinfo-redir - redirects bellaonline.info to bellaonline.com
bellaonlinenet-redir - ditto for bellaonline.net
bellaonlineorg-redir - ditto for bellaonline.org

Up until now I had a few testing entries in the binding area for bellaonline.com These were things like
birding.bellaonline.com
cats.bellaonline.com
dogs.bellaonline.com

When I made one single certificate to handle all of these sites it works perfectly fine. That’s how it’s been running.

I then added all the other site names in as bindings into IIS. So more like
quilting.bellaonline.com
budgettravel.bellaonline.com

and so on.

First I tried my normal new certificate, all sites, all. It choked and said there were too many sites.

So then I tried to make a manual new certificate and put in comma delimited entries for the first 90 subdomains. At that point it choked:

This server could not prove that it is cats.bellaonline.com ; its security certificate is from bellaonline.com . This may be caused by a misconfiguration or an attacker intercepting your connection.

It hadn’t been doing that before, when I simply included 3 or 4 entries in the binding list.

I am remote desktopped into the machine and I’m running win-acme-2.1.0.539.x64 by double-clicking on its icon in explorer. So I have access to everything.

This is Windows Server 2016 Standard. It’s a brand new build for me.

Lisa

That’s good (it’s not a Server 2008, so it supports SNI).

If you want to use multiple certificates, you must use the SNI checkbox and a hostname.

So you have to add a lot of bindings - one port 443 binding per (sub-) domain name. I don’t know if your client allows to automate that.

If you create a wildcard certificate, only one binding with that certificate is required. And no SNI, no host name.

I currently successfully run via a single certificate in winacme - I hit N for new certificate, 3 for all bindings of multiple websites, and it grabs them all. I checked the entry for www.bellaonline.com and “require SNI” is checked on it. I do have a wildcard entry in the bindings list - an entry with a * for the name and the IP address in that field.

If I add in a handful of additional bindings - cats, dogs, birds, it works fine. The certificate is created.

If I add over 100 additional bindings, IIS is fine. But WinAcme chokes when trying to make the certificate for them all. It only allows 100 at a time.

So to clarify, it’s not the bindings that are the problem. I did have it set up earlier today with all 400+ bindings defined in IIS. I can just copy-paste into the config file to get those to happen. The problem is WinAcme won’t create a certificate with over 100 bindings. And once I try to make a second certificate, I get errors.

Maybe instead of trying to figure out the multiple-certificates problem so each only has 100 entries on it, I should focus on the wildcard certificate idea. I’d be happy with just one binding. It’d be easier to manage. But I don’t see how to do that. I’ve been digging through the help files.

I use NetSol to manage my domain names and can add TXT entries to my DNS if I need to. But I’m not sure what to add.

Lisa

OK I tried specifically creating a *.bellaonline.com binding to be more exact about the wildcard.

WinAcme gives the error:

[INFO] Target generated using plugin IISSites: bellaonline.com and 8 alternatives
[EROR] The default validation plugin cannot be used for this target. Most likely this is because you have included a wildcard identifier (*.example.com), which requires DNS validation. Choose another plugin from the advanced menu (‘M’).
[EROR] No validation plugin could be selected

OK I stepped my way through the manual new, manual input, with *.bellaonline.com as an entry. I set up a manual RSA / IIS Central Certificate Store. It then did give me a TXT record to enter into Network Solutions. So I’ve done that. And I see it now wants me to delete it again. And I have to do this with all the bellaonline.info and bellaonline.org and so on. So while this will work, this looks like it’ll be painful to do every three months. Still, functional is better than non-functional.

Well, that didn’t work. I went through all of that and I’m still getting the errors.

This server could not prove that it is ethnicbeauty.bellaonline.com ; its security certificate is from bellaonline.com . This may be caused by a misconfiguration or an attacker intercepting your connection.

Are these sites so distinct from each other that they can’t just be subfolders instead of subdomains?:
https://bellaonline.com/xyz

Each of the 400+ editors has a database interface where they maintain “their” site at cats.bellaonline.com or whatever. That URL system has been out there since 1999 so I really don’t want to go changing any links or structure at this point :).

cats.bellaonline.com is quick and easy for visitors to type and remember. Each editor has business cards with those short URLs on them.

1 Like

I’m moving the site down issue to its own thread as it is probably something others would search on to get help with. I know I’ve searched, myself, in here to find it :).

1 Like

SUCCESS!!

After the long, painful, 5-hour-long trauma of dealing with a ‘revoked certificate’, I finally got everything working again. I had to delete out the old certificates before this new fresh certificate would work. I know the instructions say that the new certificate should just replace the old certificate. In my case all sorts of havoc happened instead.

It was only when I deleted out those old certificates with the certificate manager, and started completely fresh, when this worked.

I have laid out all the steps step-by-step including screenshots and text, in case anybody else wants to tackle this. I now have the entire BellaOnline site working with the secure server, with all the subdomains, and without having to create 400+ entries in IIS or in giant lists of WinACME server entries. So this was an elegant and useful solution. I was just able to create one wildcard entry and everything works like a charm.

Thank you all so much for your guidance and help!

4 Likes

Happy to read you have found a solution. :+1:

Checking https://aspisfun.com/blog/setting-up-a-secure-server-https-for-multiple-subdomains/

WinAcme has a limit of 100 entries per certificate.

That’s not a WinAcme limit, it’s a Letsencrypt limit. Letsencrypt allows max. 100 domain names per certificate.

Your cat… has the wildcard certificate. Your www. has the old certificate with some domain names.

Perhaps change that completely so you use only one certificate.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.