I have a question regarding how Let's Encrypt's rate limit works in the following SAN certificate orders:
If I have a cert with a.com CN and the following SANs 49 more subdomains of a.com, 50 subdomains of b.com
What is my Certificates per Registered Domain count for this cert based on this order alone? Does this mean I have used up all my maximum of 50 Certificates per Registered Domain per week limits for both a.com and b.com domains? If not, how is that limit counted in this case?
Also, since each domain in a SAN order has to be validated differently, is it the case that if one validation fails, the whole order fails?
A certificate is a certificate and a SAN entry is a SAN entry. Only the maximum SAN entries per certificate has a dependency on the SAN entries. The max 50 certificates per domain per week has a dependency on certificates, not SAN entries.
So to answer your question: just one.
No.
Per certificate as explained above.
Yes.
By the way, note that the hostname in the CN is also present in the SAN, so it counts to the 100 SANs max per certificate.
Thanks for the reply. One more follow-up: Since this is just one against domain a.com for 50 certificates per domain per week rate limit, does that mean I may not hit that rate limit for b.com as long as I keep only add it as a SAN entry, not CN?
a) If b.com is also in the cert next to a.com, the cert also counts towards the 50 certs for b.com;
b) as said earlier, the CN is also in the SAN, so it will count also.