Script to create 100 domains in one cert

marceloAgil · December 14, 2018, 1:53am

Hi, I’v seen this post with a very usefull script to automatically build 100 domains in one cert.

However, if one of the domains fail for some reason, all the job get’s canceled.

Does anyone knows how to ignore a domain that fails and proceed with cert? This way things would run faster and without human intervention.

_az · December 14, 2018, 2:04am

--allow-subset-of-names
    When performing domain validation, do not consider it
    a failure if authorizations can not be obtained for a
    strict subset of the requested domains. This may be
    useful for allowing renewals for multiple domains to
    succeed even if some domains no longer point at this
    system. This option cannot be used with --csr.
    (default: False)

In my own testing just now, I tried issuing a certificate for three domains:

Two domains I control
A domain I don’t (example.org)

When I ran with the above flag, it created a certificate with only the first two names, and omitted (2).

Perhaps you can try that.

But I noticed one notable way in which this doesn’t work: if any of the domains are forbidden by Let’s Encrypt policy (e.g. if you put google.com as one of the domains), then the entire process will fail anyway.

Does that sound like a Certbot bug @schoen ? (On reflection it might be impossible to solve on the ACME client side, since the order is rejected as a whole and Boulder does not report which domain triggered the policy violation?)

schoen · December 15, 2018, 4:00am

I think it's an ACME issue, but maybe @jsha or @cpu can think of whether there's an easy way that the policy can be tested without causing the request as a whole to fail. (If so, maybe we could update Certbot to use a slightly different behavior.)

_az · December 15, 2018, 4:21am

It also occurs to me that if any of the domains are rate-limited, this flag will also fail the entire order at finalization time (or new-order time, if https://github.com/letsencrypt/boulder/issues/3975 is implemented).

Seems like the only way for --allow-subset-of-names to work reliably might be for the server to implement pre-authorization and to move those checks to the authorization stage.

jsha · December 15, 2018, 5:56am

There’s provisions in ACME for the server to return separate errors for each domain in an order (subproblems), but we haven’t gotten around to implementing it yet. The policy checks would be one nice easy area to start implementing them in! It won’t be on our priority list for a while but we would take a well-written PR.

system · January 14, 2019, 5:56am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Renew SAN certificate status if one or more domain Unavailable Issuance Policy	6	588	September 20, 2023
Certificate for 150+ subdomains of the same domain Help	2	1307	November 5, 2016
Rate Limits Error Help	4	210	July 27, 2024
Max 10 domains in DNS verification Help	16	1455	August 22, 2021
How to create new ACME account in ubuntu 16.0.4 Server	7	4998	February 11, 2019

Script to create 100 domains in one cert

Related topics