Proper way to handle many domains in node.js


#1

First of all hi!

And what an awesome work!

We are working on a platform where users are able to register a domain and creating a website. The system is build around a node.js backend. Not going to much into details about the system, we will offer our users that their sites are running secured with SSL/TLS.

The admin and API are all secured with certbot and nginx no problem there. Our issue is how do we create certificates with multiple domains?

Our first solution was to use certbot with the --expand argument. But then we figured out that there is a limit on how many domains it is possible to combine in one certificate. From the [https://letsencrypt.org/docs/rate-limits/](http://rate limit document) the limit is 100. We are a bit uncertain about the limit is this only subdomains, so in our setup where we have dom1.com and dom2.com etc. is there still a limit?

Our second solution is to let node handle all the rumble. For each newly registered domain will we create a new certificate. In node.js will we use the SNICallback, so we are able to dynamic map the domain with the certificate.

We think option two is the way to go, but before would we like to know if anyone has experience with how to handle many domain and certificates in node.js.


#2

For sure individual certificates (but a single ACME account key) is preferable in this kind of scenario, assuming that your certificates would be largely distinct with regard to registered domains/eTLD+1s.

There are some helpful notes on the topic here: https://letsencrypt.org/docs/integration-guide/

I am not sure that trying to drive Certbot from another program is an ideal approach.

There are ACME client libraries available in Node and even middleware you can use for popular routers (like https://www.npmjs.com/package/letsencrypt-express) that can fully deal with the lifecycle of the certificate for you. IME either option leads to a saner experience than trying to invoke Certbot (or any other interactivity-based ACME client) from a program.

Finally, you could consider fronting your server with something other than Node. Servers like Traefik and Caddy can fully manage the SSL issuance and termination question for you before handing the request to Node, but of course there are other trade-offs to consider there.

It’s 100 names of any kind on the same certificate, whether it’s the same registered domain or not.


#3

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.