RunCloud SSL & Limit - SOLVED


#1

Hello, I know this might not be the best place to ask this but I’ve tried everywhere else and still uncertain. Hoping somebody has first hand experience or can offer some guidance. I have also read the rate limit page here, and from my understanding the 20/per week limit is for certs per domain (so subdomains, etc.) and there is no individual domain limit? So now my question…

I’m using RunCloud to mange my server. To get an SSL cert you just add the domain to the web app and “deploy” which just runs the domain through Let’s Encrypt validation. When you add a new domain, you redeploy and it deletes all certs and runs them again I guess. Will this be an issue when I eventually add many domains (50, 100, 500, etc)? I’m thinking not, because they will all be separate domains (example.com, test.com, domain1.com) and not subdomains?

Here is a screenshot of what it says when you “redeploy.”
io-2018-07-08-18-22-10

Any help is appreciated, been at this all day and don’t have more than 20 domains right now to test myself. And yes, I have tried their support, still not sure. :frowning:

Thank you


#2

Seems kind of silly that they would not support having separate certificates for separate apps.

The “20 times per week” is the number of times each Registered Domain can appear on a new Let’s Encrypt certificate in any one week.

test.com and example.org are different Registered Domains and are separate with respect to this rate limit.

On the other hand, a.b.c.example.org and example.org are the same Registered Domain, so any certificate that features either (or both) would contribute to the same rate limit bucket.

So, when it comes to RunCloud, the limit mainly applies to the number of times you can re-issue the Let’s Encrypt certificate in one week. You could have anywhere from 1 to 100 Registered Domains on the certificate each time.

As long as you don’t re-issue the certificate often, you’ll probably be fine.


#3

First off, thank you for the reply.

It did seem kind of silly how they “redeploy” and the domains are all bundled. I’m more familiar with the AutoSSL interface and how you can just run the authorization per domain. Never seen where it deletes all certs just to add a new one.

I think I have a better understanding now. So if the domains are separate (test.com and example.com) the 20/per week limit is for how many times the same domain can essentially be reauthorized (or appear on a new cert). So I could add up to 100 domains in theory, but I can’t redeploy more than 20 times in a week since that would hit the limit in RunCloud’s case. Because it deletes and sends all domains for authorization again.

Adding to the above - If I have site1.example.com, site2.example.com, all the way up to 20 subdomains. If I go to 21 subdomains. That’s the limit right there because that domain will appear over it’s allowed 20 times. I don’t plan on using a wildcard certificate or subdomains, so I don’t expect this to be an issue.

In case it matters, my web app is a Wordpress multisite.

Did I get that right? Thanks again!


#4

Mostly right, a couple of corrections.

There’s only one cert in this case, with all the domains on it.

Not quite. Each appearance of a Registered Domain on a certificate contributes at most once to the rate limit, whether there’s only 1 or 100 subdomains for that Registered Domain.

So a certificate with the following names: a.example.org, example.org, d.b.example.org, test.com contributes in the following way to rate limits:


#5

I should add that it’s possible you might run into the Duplicate Certificate Limit as well if you’re expanding and contracting the certificate often.

e.g., a certificate with the exact set of names (example.org,www.example.org) can be issued only 5 times per week.

IDK if you’ve seen https://letsencrypt.org/docs/rate-limits/ but it goes into some depth on each of these.


#6

Think I get this part now. So when the warning says “Your certificate will be deleted and run through LE validation again” it’s going to delete the cert with all my current domains, add the new domains to a new(?) cert and validate it again. And each cert can have up to 100 domains on it. Separate or subdomains both count towards that number.

So I have the understanding of the 20/per week limit correct but not my subdomain example. No matter the amount of subdomains, when it comes to the amount of times a domain can appear on a new cert it will only count as one. Just counts the primary domain.

I did see this, and that was my next question. To update what I said here:

I could probably only redeploy through Runcloud no more than 5 times a week because it will re-validate all domains already validated and on the cert?


#7

Correct, because the rate limit is counted in certificates per unit of time (e.g., a week).

It doesn’t matter if you put 50 subdomains of a certain domain in one cert or just 2, it still is one certificate in both cases.

But because it seems RunCloud only works with just a single certificate (WHY?!?), if you change your certificate more than 20 times per week, you’ll probably hit the certificates per domain rate limit.

That depends on how you redeploy. The 5 duplicate certificates per week rate limit is for an exact set of domains in the certificate. So for example, let’s name a.example.com, b.example.com and a.example2.com “set A”. And a.example.com, b.example.com, c.example.com and a.example2.com “set B”. Those are different sets, because c.example.com was added. Now, if you’d add for example b.example2.com, you’ll end up with a new set, “set C”. But if you remove c.example.com again, you’ll end up with “set A” again. And because that’s the second time you’ll get a certificate for set A, it counts as 2 out of 5 for the duplicate certificate rate limit per week.


#8

I honestly have no idea why Runcloud does it this way, literally the only “issue” I’m having with them. Well, and DNS-01 setup for wildcard, but that’s another topic. Might not even worry about that, don’t plan on using subdomains anyway. From what I’ve seen Serverpilot does it better with AutoSSL, but is lacking so much more. So tough choice there. Anyway…

So it sounds like despite that warning they give, I should be okay to redeploy and renew any newly added domains a few times a week (20-100). I know their web apps don’t have a limit of domains it can have, but I won’t exceed 100 domains so I don’t have any issues with the SSL certs. In theory, should be okay from what I’m learning here.

Wow, this helps and makes total sense - I think. So it’s not really a duplicate domain that’s the issue, it’s a duplicate certificate (which I just now saw it’s officially called). If the certificate has 1, 5, 20, 50 domains that are the same; it doesn’t matter so long as the cert is different (i.e at least one new domain is added when redeployed in Runcloud). My own example to make sure I got it:

Cert (already run and is ready to go):
test1.com
test2.com
test3.com

If I redeploy just how it is, that would be 1 of 5 for the week. However if I add test4.com and redeploy that would not count.

As for renewals when the system does it (I think it’s a month prior) that’s where the renewal exemption comes in and ignores most of this (20/week limit). I read that it counts as a renewal when it contains the same number of domains as the previously issued cert. If you’re constantly adding new domains, is this possible though? Renewals will count as 1 of your duplicate certificate slots as well.

This has been a big help. Thank you again!


#9

If you continu redeploying with just including new domains too quickly, without deleting previous domains, you’ll end up hitting the 20 certs for one domain per week after 20 certificates. Because after 20 certs, the first domain will have 20 certs counted to it.


#10

To make sure I understand this correct. In the simplest terms I can think of: don’t redeploy more than 20 times in one week, no matter how many new domains I add (not exceeding 100)? Or are you saying I can’t exceed 20 domains per web app (cert) with how Runcloud redeploys?

Again, thank you. You’re two have helped me more than you could imagine!


#11

The rate limits are per week, so the first statement would be correct.


#12

Okay, that makes sense. Because if I don’t delete any domains, the same ones will be getting a new cert and that’s when the 20 per domain limit comes into play.

You just officially solved this for me. Sounds like I can do what I planned on doing all along, and you helped clear things up. Add up to 100 domains per web app, and get a SSL cert for each. Just keeping in mind the limits discussed in this thread. I think to play it safe I will just redeploy 1-2 times a week depending on how many new domains are added, and also hope Runcloud doesn’t have their own weird limit - which they shouldn’t. The only limit for this would be on LE’s end I think. Now to put it in practice!

Thank you again! :grinning:


#13

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.