Is there any workaround for the following situation:
I work for a web consultancy and we have embraced LE fully and have setup many client sites using it. We have started to hit the rate limit lately and mainly because we use a naming convention of (f.ex) for internal purposes as well of client.prod.domain.com and the error is that there are too many domains lately registered for the domain.com.
This is true because when I check our domain in crt.sh I can see lot of renewals/new sub domains or sometimes expanding already existing subdomains with another domain. But if the domain.com exists in the certificate it may cause the rate limit to be exceeded.
Our last case in point was a situation where we had to expand the certificate by adding a new client domain to the certificate but our own .prod.domain.com was causing it to fail because for the last week too many domains have been already registered/renewed.
Because we have many different servers that host these sites I right now am clueless as how to approach this problem. Is there a way to separate the certificates into different certificate files? That way if we already have registered a domain.com subdomain it would not affect if we add a new different domain certificate to the server.
Right now if we expand it would update the existing one. Are there possibly plans in the future where companies can buy some kind of expanded limits? We just did not consider how these limits would start hindering our work when started to fully embrace LE.
I’m not sure I understand the problem… if your question is “can I have multiple certificates per server?”, then the answer is yes, you can. The only downside is that the technology used to select the correct certificate isn’t compatible with some ancient browsers, so those will always get the server’s default certificate. You may or may not care about that.
If you want to split up an existing certificate, you can reduce it to one set of names using the --cert-name option, and then run certbot again just specifying the other set of names. It should create a separate new certificate.
I believe this is more a rate limit question, @jmorahan. They have a lot of certificates for the base domain and are hitting the 20/week limit per domain.
@greenspaceman, you have a few options available. First, you could review the rate limit documentation, specifically the Overrides section, and examine if you might qualify for an increased rate limit. Alternatively, you could look to see if you qualify for the Public Suffix List (I suspect you do not, but it’s hard to tell without more information.) Finally, bear in mind that while both renewals and new issuances count against the rate limits, only new certificate issuance is blocked by them. That is to say you could issue up to 20 new certificates per week, as long as you wait to renew any existing certificates until after issuing the new certificates.