Questions about LE multiple domain capabilities

(sorry if this is a long post… not sure how to make it more concise)

I am the current principal developer/maintainer of a content management system that produces free websites from content for over 11,483 non-profit Toastmasters public speaking clubs (& districts) worldwide–the system is built w/ free/open source tools. Clubs enter content via a forms interface and the system turns the content into website (on the fly) using a custom website template that incorporates Toastmasters-specific functionality. We (the system maintainers) have finally reached the point where we needed to take action to implement HTTPS and we obtained a wildcard cert for our main domain, toastmastersclubs.org

However, there is a catch… the system actually works with 3 categories of domains, 2 of which we control, and a third that we really do not:

  1. We control *.toastmastersclubs.org (each of the 11426 subdomains maps to a TM club… we have this covered now w/ a wildcard cert.)
  2. We control *.toastmastersdistricts.org (each of the 57 subdomains maps to a TM district… no cert for this yet)
  3. We do not control the custom domain names (current count = 957) that clubs may optionally acquire on their own and map to our server’s IP address via DNS for navigation and email. These exist in addition to the subdomains the server sets up for them per #1 and #2 above.

All of these map to the same server IP address. The server determines which content to show in the template from a lookup of the subdomain or custom domain name in the MySQL database. We have SSH/FTP access to the AWS server for setting up scenarios #1 and #2 above… no problem. However, we are unsure how to address category #3.

Clubs have to have access to their DNS settings per their registrar where they registrar their custom domain name. Perhaps we could somehow facilitate them getting a cert via LE that they could insert in their DNS record? (Only the system maintainers have server access–I am one of them.)

Can you help me understand how LE could help us get HTTPS set up for all our associated domains???. Not sure that Let’s Encrypt can handle all this and how we would make it easy to use for clubs w/ custom domains.

1 Like

Hi @SteveTheTechie,

Let’s Encrypt doesn’t issue wildcard certificates, so getting a replacement wildcard certificate from us wouldn’t be an option here. It’s still possible that sticking with wildcard certificates from other CAs could be the simplest option for many of your sites.

Issuing certificates for the individual club subdomains would be a bit of a challenge because of the rate limits.

https://letsencrypt.org/docs/rate-limits/

You could request a rate limit exemption for your sites using the form available there.

An individual certificate may contain up to 100 names, so you could cover all of the subdomains with just 115 separate certificates, but even that is too many to issue all at once in light of other rate limits. If you’re careful about it, it would be possible to issue all of these even without a rate limit exemption using a staggered issuance schedule, because renewals of an individual certificate don’t count against the rate limits, but managing the timing of the issuance and renewal could be quite complex.

The rate limits probably wouldn’t affect the separate domains in #3, because most of the limits relate to certificates requested to be issued under the same registered domain. If you have a large number of distinct registered domains, you can get a large number of certificates without hitting a limit, although if you’re willing to combine names in large SAN certs, you could cover everything in #3 with just 10 different certs!

Your control of the web server would allow you to issue certificates covering those names, in the first two cases using any validation method (including DNS-01, where you prove control of the site by adding records in its DNS zone), and in the third case using the two validation methods that involve changing a server response (HTTP-01 or TLS-SNI-01). I’m working on some documentation right now that explains what each of the validation methods does.

To get certificates, you use client software, normally running on your web server, that submits the certificate requests, normally makes requested changes to prove your control over the sites that will be covered by the certificates, and then downloads (and in some cases automatically installs) the resulting certificates. The available client applications are listed at

The total number of sites that you host isn't super-huge by Let's Encrypt standards (some hosting providers have issued on the order of a million certificates for their customers!), but it might be a bit of a system administration or scripting challenge to figure out how you want to handle certificate installation and renewal, especially if you have new clubs coming in and old clubs leaving (or letting their domains expire) with some frequency.

Finally, I’d suggest reading

https://letsencrypt.org/docs/integration-guide/

which describes some issuance considerations for large providers that host a lot of sites on behalf of other people. Some of the considerations there might apply to you, where others might not.

Ok, I am thinking maybe we would just do the wildcard certs via another CA then. Given how the system ("FreeToastHost" or FTH for short) is structured, using wildcard certs for category #1 and category #2 domains/subdomains is the least pain approach. We control those domains, we have access to the server for those, and the server code (that I update) handles creating the subdomains automatically, etc.

[quote="schoen, post:2, topic:31092, full:true"]
The rate limits probably wouldn't affect the separate domains in #3, because most of the limits relate to certificates requested to be issued under the same registered domain. If you have a large number of distinct registered domains, you can get a large number of certificates without hitting a limit, although if you're willing to combine names in large SAN certs, you could cover everything in #3 with just 10 different certs![/quote]

For category #3 domains, based on your comments, I still think LE may be a good approach. However, for those domains, at this time there is really not a viable way to grant access to the server for storing certs (no code for it, no folders allocated for it, no controlled UI for it, etc.), but the clubs that get those domains do have access to their DNS records, so I am thinking that could be the approach. For category #3 domains, there is no subdomain mechanism supported by the system.

For category #3 domains, we do also know the domain names in our db... clubs have to put them there also to allow us to look up their content in the db by domain name. Because of this, I am wondering if we could use that call the client software to get them a cert... Not sure how we prove control of the domain via server code--we could make an automated request for a cert on their behalf, but not sure about the validation. If would be great if we could them email them the cert with instructions in the email to install it in their DNS records... Does this sound like a viable approach?

[quote="SteveTheTechie, post:5, topic:31092"]
For category #3 domains, though, based on your comments, I still think LE may be a good approach. However, for those domains, at this time there is really not a viable way to grant access to the server for storing certs (no code for it, no folders allocated for it, no controlled UI for it, etc.), but the clubs that get those domains do have access to their DNS records, so I am thinking that could be the approach. However, not sure how to handle the rate limits in a consistent way.[/quote]

I was thinking that you, as the sysadmin, were planning to get and install those certificates for them. Is that not right?

Right, that's actually much better from the rate limit point of view, because issuance for those names is treated as independent for rate limit accounting. If you wanted many certificates for subdomains toastmastersclubs.org, you could only get 20 such certificates per week (each of which could cover up to 100 different subdomains). If you want many certificates for various totally independent club domains, there's no limit to how many of those you can issue; effectively, the rate limits already assume that you are doing this on behalf of independent people or entities in this case.

Nope, any combination of names can be included in the same certificate.

There are 3 different validation methods available to choose from. Only one of them (DNS-01) requires access to DNS records. The other two (HTTP-01 and TLS-SNI-01) work by making changes on the server to prove that you control it.

The certificate is installed on the server, not in the DNS records.[quote="schoen, post:6, topic:31092"]
If you want many certificates for various totally independent club domains, there's no limit to how many of those you can issue
[/quote]

With one caveat: if you need to add a new domain to an existing certificate, that counts as a new certificate against the rate limit for each domain already on the certificate.

No, we do not touch their DNS records, so we would depend on those clubs with the "category 3" domains to do some of the setup themselves, with some hand holding from us. For context, we essentially use a similar approach now via a doc to guide them on getting their domains to point to our server:. FreeToastHost custom domain setup doc Most of the clubs that have these domain names are more technically savvy... It is fine as long as we give them guidance for the part that we cannot automate.

Also, there is no way I am going to set this up myself for over 800 domain names. We leverage automation extensively.... everything has to be set up via automated approaches and docs.

What I would likely do is put a button or a link in the website settings form for them that they would click to request that the server get them a cert using their domain name stored in the db. The server would make the actual request for the cert and communicate back the person via email.

You don't need to. The HTTP-01 and TLS-SNI-01 challenges both work by making changes to the server. All you need from DNS is an A record pointing at your server (or CNAME also works), which as I understand it you already have for these domains anyway. Also, as I mentioned above, the certificates once obtained are installed on the server itself, not in the DNS records. So once you have that A record pointing at your server, you can obtain and install a certificate for that domain without needing any further access to its DNS.

Ok, I am not sure I would want our server touched without a better understanding of what to expect. If we would need over 800 certs put on the server, 1 per “category 3” domain, is there any risk of one cert overwriting another?

Again, for this number of domains, I will insist on automating it. There is just no way to make this feasible manually. (I am a volunteer doing this in my spare time as are all of the system maintainers.)

I was also thinking that you might use HTTP-01 authentication to prove your control and get the certificates on their behalf. HTTP-01 requires the ability to create a specified file at a specified location on a site (as accessed over HTTP). If you're hosting all of these sites yourself in HTTP, you can probably do this pretty easily.

The certs are issued to the client and the client can decide what it wants to do with it and where to save it. If you use Certbot, for example, the certs are saved in a particular structure in /etc/letsencrypt. Other clients have other ideas about how to store and manage the certs. You could potentially store them in a database, or write your own scripts to store them in some kind of directory structure.

I strongly support your intuition about automation. We view automation as an extremely important part of Let's Encrypt and we encourage people to use clients in a scripted way, especially given that the certificates expire after 90 days and ought to be renewed before that. Currently some hosts are making this work at the level of hundreds of thousands of certs or even more, but obviously only with the benefit of scripting and automation.

1 Like

The Toastmasters club that I am a member of has a “category 3” domain… so I will probably use it for testing out setting it up with a cert via LE.

Ok, sounds interesting. My main objective w/ this thread was to establish feasibility for the "category 3" domains... those were what were tripping us up for the HTTPS. It sounds like it is feasible to do something via LE to set up HTTPS for them.

I mainly do the coding updates for the system. Another guy is actually the sysadmin. I will probably talk to him and come back to this thread or start another one.

Thanks to everyone who contributed! I got a lot out of this. :slight_smile:

1 Like

Let me clarify that a bit. For example the HTTP-01 challenge allows you to prove your control over the domain by creating a special file in the /.well-known/acme-challenge directory on the website. You could, technically, create this file manually, but if you want automation, you'll probably prefer to let the client software do it for you. The CA doesn't get direct access to make any changes on your server - only the client software that you run yourself can make these changes.

The TLS-SNI-01 challenge works similarly: you use a piece of software to automate making a temporary change to your server configuration in order to prove that you control the domain.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.