Speed up adding 1 domain to multi domain cert


#1

I’m investigating using a Let’sEncrypt multi-domain cert where I was previously using a wildcard cert from another provider. What I’m finding is that when I add 1 new domain to the list of valid domains, that the time it takes Let’sEncrypt to re-authenticate all the existing domains is quite long, whereas the part of the time taken for the new domain is only a few seconds.

For example, if each domain takes 5 seconds to authenticate:

    1. We have an existing Let’sEncrypt cert for 90 domains which have all been successfully authenticated
    1. We want to add one new domain
    1. Let’sEncrypt re-authenticates all 90 domains plus the new 1
    1. Time taken is 455 seconds

Is there any way to configure the cert request such that only the 1 new domain needs to be authenticated and so the cert request only takes the shorter 5 seconds?


#2

Seems this may be due to the library I’m using (https://github.com/dmathieu/sabayon) to request the certificate rather than due to the way Let’s Encrypt works, but I’m not sure. Can anyone comment?


#3

It may depend how recently the previous certificate was issued. The ACME protocol has a concept of authorization (authz) which connotes authority to request certificates for a particular name. There is a period of time during which your client could reuse this authorization (whether it does depends on how the client is implemented) instead of obtaining a new one, which could make reissuance with an additional name faster because the DV challenges wouldn’t have to be re-performed for the existing names.


#4

I see, thanks. Any idea how long that period is? A few hours; a few days?


#5

Apparently sabayon registers a new account with a fresh account key for every attempt to issue a certificate; this means there is no possibility to reuse existing authorizations (which are tied to the previous account key). This avoids the risk of leaking the account private key (which would allow the attacker to issue certificates for your domains while the authorizations are valid), but slows down the issuance process, as you noticed.

Currently authorizations are valid for 60 days, but there were some plans to decrease that time.


#6

If the issue with registering a new account on every attempt were resolved, how long should I expect it to take to add 1 new domain to an existing cert of 90 domains? Still 455 seconds or would this be shortened?

I’m only concerned about the time it takes to add a new domain, rather than how long it takes to renew the certificate every 60 days.


#7

In theory, closer to the 5 seconds required to authorize a single new FQDN, assuming that the authorizations for the other FQDNs are still active.

Keep in mind that you’ll only be able to do this reissuance about 20 times per week, because of our Certificates Per Name rate limit.


#8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.