SSL for 1,000 domains

I’m hoping to take advantage of all these SSL experts in here as I have a bit of a technical problem.

I have a single instance of an IIS website which responds to 1,000 domains and I’d like to have them run securely over SSL. The domains are mostly static, but some will come in and out every few weeks.

Let’s encrypt can do up to 100 domains and some other providers will do up to 250, but clearly that is still not enough.

I’ve been thinking of various ways of doing this, such as duplicating the site into separate IIS instances, each with it’s own “up-to-100 domains” SSL Certificate - although this would be a lot more maintenance of sites and certificates.

I also wondered about having some sort of proxy or gateway to accept all of the connections and then feed them through to various instances of IIS.

Has anyone experienced this before or have any other ingenious ideas on how to get around the problem?

Thanks in advance.

1 Like

There can be 100 names in one certificate, but there is no limit in number of certificates you may issue. Practically, one would issue one certificate for each domain name.

1 Like

Ouch that’s a lot of domains and with a rate limit of 20 per week … that’s going to take you 50 weeks to accomplish :roll_eyes: … not sure how you are going to get around this one with free SSL ??? I am not sure if you can mix different domains names into one certificate, never tried. But if you could then you may be able to get away with 10 certicates each with 100 domain names in it?? @schoen is this possible ??

Thats not true either. The limit you point to is 20 certificates for /one/ single domain name per week, not 20 certificates per week for distinct domain names.

1 Like

My bad @bytecamp … thought it was 20 per week regardless … must learn to read better :slight_smile: so in response to your earlier post can you actually have different domain names (100) in one certificate ?? If so I had no idea that was possible.

Yes, it is documented on the same page you referred to.

1 Like

Ok I read that “If you have a lot of subdomains, you may want to combine them into a single certificate, up to a limit of 100 Names per Certificate.” … but that only refers to sub domains. Is the OP @GBSM not talking about 1000 completely different domain names? ie. … those could not be combined into one cert can they?

Thanks for the reply bytecamp & MitchellK

The issue is that this is running on a single iis website - which would only allow 1 certificate on it at a time - unless I managed to get centralized SSL certificates to work. However, the rate limit was something I wasn’t aware of, so I think the centralized ssl probably won’t work as they follow a domain naming convention.

At the moment I’m investigating perhaps running multiple sites on the server with either defined bindings or perhaps different port numbers and have some routing to each site. Then I’d target each domain to a specific site and generate a 100 domain SAN certificate for each. Seems a bit complex, but that’s the only thing I can think of that might work at the moment.

1 Like

Yes, the 100 limit is an aggregate of unique FQDNs (which may all be from different domains).

1 Like

Oh wow, I really did not know that. Learn something new every day. :+1:

@GBSM why do you not try a --dry-run of this ???

sudo ./certbot-auto certonly --standalone --agree-tos --rsa-key-size 4096 -m -d -d -d -d -d -d --renew-by-default --dry-run

and keep adding -d until you get to your first 100 domains names and then see what the --dry-run output gives you?

Sure enough I just tested this and it does indeed work 100%. So @GBSM I don’t see why you won’t get away with 10 certs each containing 100 domains.

sudo ./certbot-auto certonly --standalone --agree-tos --rsa-key-size 4096 -m -d -d -d --renew-by-default --dry-run
Upgrading certbot-auto 0.18.2 to 0.19.0...
Replacing certbot-auto...
Creating virtual environment...
Installing Python packages...
Installation succeeded.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for
tls-sni-01 challenge for
tls-sni-01 challenge for
Waiting for verification...
Cleaning up challenges

 - The dry run was successful.

Thanks for the script - I’ll make a note of that for later.

The other side of the technical issue is that the site is stored on Azure and it actually responds to any domains that hit it and then the engine has to determine what to show next. So, separating the site into multiple IIS sites based on their bindings and assigning an appropriate certificate are all new steps - ones which will have to be done in an automated fashion. Perhaps with powershell scripts or something.

This would all be much easier if you could validate a certificate for an IP address!

1 Like

Not really, if a certificate is issued with an IP address as the subject, it’s useless on the Web except to identify sites using their IP address as the host part of the URL.

A certificate for (well not that one, it’s an RFC1918 address not part of the public Internet, but it’s just an example) is fine for but won’t match for even if the name has the address

1 Like

It would be a change in the way SSL works - ie not focused on the domain, but on a property looked up from a domain. I’m sure it won’t happen but it would have made things easier.

I re-read the limit and it’s 20 requests per registered domain, so it is actually ok to get 1,000 different certificates. Centralised SSL might be the way forward…

I will experiment tomorrow! Thanks for your help.

This would make multi-domain hosting (SNI) impossible.
1000 names all return one IP.
For simplicity, that one IP becomes the cert and thus replaces all the HTTPS URLs.
So which of the 1000 domains would it eventually reached by HTTPS:// ?

There is no reason you cannot use a certificate with multiple domains with Centralized SSL. You would just have to make 100 copies of the same certificate in the folder instead of issuing 100 certificates and placing them in it. :wink:

Azure Web Apps have explicit domains added to them, and you have to map the certificate to the domain. I don’t see why this would be such a huge problem for that. Potentially, you could use the Let’s Encrypt Site Extension to handle the issuance, renewal, and bindings of the certificates.

Yes, good thinking. I’ll bear that in mind if I do have trouble with so individual certificates :slight_smile:

1 Like

Whilst I do use Azure Web Apps, it’s not on this solution. I use a cloud service which essentially sets up 2 VMs for the websites as well as some worker roles so I was expecting to have a startup script with some powershell to get things going.

But it may be a solution to move the websites to Azure Web Apps. There are lots of pros and cons with each method - either way I’m sure there’s going to be some maintenance to do to look after all those certificates!

I’ll look into the Site extension though - thanks!