Proper way to handle many domains in node.js

DNRN · March 13, 2018, 9:39am

First of all hi!

And what an awesome work!

We are working on a platform where users are able to register a domain and creating a website. The system is build around a node.js backend. Not going to much into details about the system, we will offer our users that their sites are running secured with SSL/TLS.

The admin and API are all secured with certbot and nginx no problem there. Our issue is how do we create certificates with multiple domains?

Our first solution was to use certbot with the --expand argument. But then we figured out that there is a limit on how many domains it is possible to combine in one certificate. From the [https://letsencrypt.org/docs/rate-limits/](http://rate limit document) the limit is 100. We are a bit uncertain about the limit is this only subdomains, so in our setup where we have dom1.com and dom2.com etc. is there still a limit?

Our second solution is to let node handle all the rumble. For each newly registered domain will we create a new certificate. In node.js will we use the SNICallback, so we are able to dynamic map the domain with the certificate.

We think option two is the way to go, but before would we like to know if anyone has experience with how to handle many domain and certificates in node.js.

_az · March 13, 2018, 10:06am

For sure individual certificates (but a single ACME account key) is preferable in this kind of scenario, assuming that your certificates would be largely distinct with regard to registered domains/eTLD+1s.

There are some helpful notes on the topic here: Integration Guide - Let's Encrypt

I am not sure that trying to drive Certbot from another program is an ideal approach.

There are ACME client libraries available in Node and even middleware you can use for popular routers (like letsencrypt-express - npm) that can fully deal with the lifecycle of the certificate for you. IME either option leads to a saner experience than trying to invoke Certbot (or any other interactivity-based ACME client) from a program.

Finally, you could consider fronting your server with something other than Node. Servers like Traefik and Caddy can fully manage the SSL issuance and termination question for you before handing the request to Node, but of course there are other trade-offs to consider there.

It's 100 names of any kind on the same certificate, whether it's the same registered domain or not.

Topic		Replies	Views
Generate One SSL for multiple domains Help	14	1733	December 10, 2021
Hi, We have one domain with 600 domainaliasses. The maximum allowed in one certificate is 100 aliasses. Is there a solution to get a certificate for all these domains? Thanks Help	16	9955	August 12, 2016
Rate Limit Increase Request 1M+ domains Issuance Policy	5	1471	October 1, 2019
Applying more than 100 domains? Help	17	7251	November 17, 2016
100 Domain limit, including www and aliases Help	3	1156	March 12, 2021

Proper way to handle many domains in node.js

Related topics