Renew using Rails Acme-Client gem


#1

I’m using the acme-client gem for Ruby on Rails to generate certificates for my domain, nearcut.com. I have may other domains pointing to mine as the rails app will look at the domain making the request and return the correct data.

I have successfully used the gem to create a certificate with Lets Encrypt and for test purposes added 1 other domain that points to our server. I notice that when viewing the certificate in Chrome, the other domain is included under “Subject Alternative Name ( 2.5.29.17 )”.

What I want to know is if there is a limit to the number of SANs on this single certificate and if so, how can I work around it. We expect our system to server a significant number of different domains in the coming months and are aiming to have Let’s Encrypt be our CA.


#2

The limit is 100 FQDNs per certificate. Other rate limits are documented here.

The way you can “work around” this limit is to issue multiple certificates and use SNI. Basically, shard your domains in groups of 100, issue multiple certificates and configure your web server to use all of them (the steps for which depend on your web server - typically you’d have something like one <VirtualHost> tag per certificate on apache, or one server block per certificate on nginx.

Note that while SNI support is basically universal nowadays, you might run into issues if you have to support very old (probably unsupported) browsers or other clients.


#3

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.