Rate limit to generate non-wildcard certificate, while a current wildcard cert exists

Hello!

One of the registered domains that i am looking into, currently has a wildcard certificate - with almost ~20 subdomains registered under it. And these subdomain-servers are running independently in multiple instances.
Thus, currently, renewing the certificates becomes a manual process.

I was considering using certbot to automatically configure it (apache and nginx) so that the certificates are renewed automatically.

I went through the document for the rate-limit https://letsencrypt.org/docs/rate-limits/ too.
I just wanted some confirmation on a few things

  1. Is there any advantage of sticking with a wildcard cert?
  2. Since there is already a wildcard certificate in place, if i generate certs for the subdomain/servers again (using eg, certbot --niginx), will that add on to the rate limit (if added on the same week)?
  3. If i have 6 subdomains served by nginx, and i run “certbot --nginx”, and i select all domains. Will this count as 6 separate certificates or just 1 certificate?

========================================

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: greenstory.ca

I ran this command: not-yet

It produced this output: not-yet

My web server is (include version): nginx, apache-bitnami

The operating system my web server runs on is (include version): ubuntu

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.31.0

2 Likes

For your situation, it sounds like moving to separate certs for the separate servers will be the easiest and most effective way to do things.

Here’s my rule of thumb of when a wildcard certificate is the best solution: If you have a wildcard in DNS, so <anything>.example.com points to the same IP address, a wildcard makes sense. Otherwise, separate certs make sense.

Yes.

That will generate just one certificate, with all the subdomains on it.

2 Likes

Thanks so much for the response! That helps! :slight_smile:

Will this count against the rate limit? As in, if there are are 6 subdomains - and one certificate is generated; will this count as 6 or 1?

2 Likes

1 cert = 1 count
Otherwise, certs with 100 names (max) would immediately break the rate limit - on the first cert issued.

3 Likes

Thanks Rudy! :slight_smile:

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.