Rate limit for subdomain question


#1

Hi,
yesterday I ran into the 20 subdomains limit, as one of our wildcard expired. Unfortunately, I only realized that there was such a limit when the limit was hit. Now I read, that it’s possible to add up to 100 SAN Domains, to be able to use more subdomains. So I run

certbot certonly --webroot -w … -d otherdomain.de -d sub1.mydomain.de -d sub2.mydomain.de

but I get an error about too many certificates for mydomain.de as well.

Is there an error in my approach or something I have overseen?

Do SAN subdomains count against the rate limit too, once the limit is hit?

Thanks,
Björn


#2

The rate limit is on certificates, not subdomains. Including a subdomain in the SAN field of a certificate will make that certificate count towards that domain’s rate limit. So you should be able to add up to 100 subdomains on a certificate, and it will count as 1 certificate towards the rate limit of each domain whose subdomains are included. If you have 50 subdomains of the same domain on the certificate, it still counts as 1 towards the rate limit because it’s just one certificate.

However, once the rate limit is hit for a domain, you can’t issue any new certificates that include that domain or its subdomains. You can only renew existing ones (with the exact same set of SAN names), or wait for the rate limit to expire.


#3

thanks for the answer. The fact that every domain whose subdomains are included in the SAN counts as 1 against the limit is great information (that I had not found in the docs).

Cheers, Björn


#4

It counts as 1 against the rate limit for that domain, yes. Each domain has its own independent rate limit.


#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.