Script to create 100 domains in one cert

marceloAgil · December 14, 2018, 1:53am

Hi, I’v seen this post with a very usefull script to automatically build 100 domains in one cert.

However, if one of the domains fail for some reason, all the job get’s canceled.

Does anyone knows how to ignore a domain that fails and proceed with cert? This way things would run faster and without human intervention.

_az · December 14, 2018, 2:04am

--allow-subset-of-names
    When performing domain validation, do not consider it
    a failure if authorizations can not be obtained for a
    strict subset of the requested domains. This may be
    useful for allowing renewals for multiple domains to
    succeed even if some domains no longer point at this
    system. This option cannot be used with --csr.
    (default: False)

In my own testing just now, I tried issuing a certificate for three domains:

Two domains I control
A domain I don’t (example.org)

When I ran with the above flag, it created a certificate with only the first two names, and omitted (2).

Perhaps you can try that.

But I noticed one notable way in which this doesn’t work: if any of the domains are forbidden by Let’s Encrypt policy (e.g. if you put google.com as one of the domains), then the entire process will fail anyway.

Does that sound like a Certbot bug @schoen ? (On reflection it might be impossible to solve on the ACME client side, since the order is rejected as a whole and Boulder does not report which domain triggered the policy violation?)

schoen · December 15, 2018, 4:00am

I think it's an ACME issue, but maybe @jsha or @cpu can think of whether there's an easy way that the policy can be tested without causing the request as a whole to fail. (If so, maybe we could update Certbot to use a slightly different behavior.)

_az · December 15, 2018, 4:21am

It also occurs to me that if any of the domains are rate-limited, this flag will also fail the entire order at finalization time (or new-order time, if https://github.com/letsencrypt/boulder/issues/3975 is implemented).

Seems like the only way for --allow-subset-of-names to work reliably might be for the server to implement pre-authorization and to move those checks to the authorization stage.

jsha · December 15, 2018, 5:56am

There’s provisions in ACME for the server to return separate errors for each domain in an order (subproblems), but we haven’t gotten around to implementing it yet. The policy checks would be one nice easy area to start implementing them in! It won’t be on our priority list for a while but we would take a well-written PR.

system · January 14, 2019, 5:56am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.