Hello!
I want to order windcard SSL for my friend. His domain name is:
lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll.xyz
This is real, registered domain.
So, I tried out command:
/acme.sh/acme.sh --issue --force -d ‘*.lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll.xyz’ -d ‘lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll.xyz’ --dns --yes-I-know-dns-manual-mode-
enough-go-ahead-please --debug
But it failed:
The common name of a certificate is limited to 63 char. To create a certificate for a domain longer than that, you need to create a certificate with at lieast two SAN names where the common name (usually the first SAN name) is less than 63 char.
For what it's worth, the CA Buypass will issue certificates without a Common Name field. Then you wouldn't have to use a second domain.
Some TLS clients may not accept such certificates, though.
I'm not certain if acme.sh will easily request a certificate without a Common Name. I think yes but I'm not sure.
On the other hand, Buypass's production environment does not offer wildcard certificates yet. (They don't allow you to use two domains, either! At least on their free certificates.)
For that matter, I'm uncertain Buypass actually allows super long domains. They could have a policy restriction.
Edit: The thread tdelmas linked to is really good, especially jsha's post laying out the situation, in general and from Let's Encrypt's perspective.