Stupid question + normal question about limits


#1

Stupid one first - it has been asked a million times, but because i am stupid i still fail to understand it. So the limit is 20 per week.

I just don’t understand if I have 21 different domains like a.com, b.com, c.com etc… will I hit the limit or the 20 limit is for subdomains and i can issue as much different domains as I want ?

Because at the moment i have ~10 different domains that are issued at the same day ( i just want to prevent myself to hit the limit at some day and forget about it )

Normal question.
My domains have a domain and 1 subdomain. I am just currious which is better for me and for lets encrypt servers, should i issue the 2 certificates separated like exmaple.com + admin.exmaple.com, or should I issue a widecard for example.com that i think works for both exmaple.com and admin.example.com ?

Thanks,
Izo


#2

It kind of depends on exactly what you do. The limit is per-certificate and per-domain. You can issue certificates for as many different domains as you want. If you have a million domains, and you got two certificates like:

  • example.com, www.example.com
  • example.net, www.example.net

That would count as 1 for example.com and 1 for example.net. You could issue 19 more certificates for each of those domains, and another 19,999,960 certificates total for your other 999,998 domains. (In theory, at least.)

If you get a single certificate like:

  • example.com, www.example.com, example.net, www.example.net

That also counts as 1 for example.com and 1 for example.net.

One certificate can include up to 100 names, but if you’re adding and removing (sub)domains frequently, you can eat up the rate limits for every domain in the certificate.

If you’re adding and removing (sub)domains dozens of times a week, it would be prudent to put the busy domains in separate certificates.

But it’s fine to have 21 different domains.

What about 1 certificate for example.com + admin.example.com?

Wildcards only apply to one level. A certificate for *.example.com covers admin.example.com but not example.com or abc.def.example.com. If you used wildcards, you’d still have to include both example.com and *.example.com if you want https://example.com/ to work.

I don’t really recommend using wildcards if you don’t have to. DNS validation isn’t convenient in every environment, and the risks can be higher if one of your private keys gets compromised.


#3

I do not ever change my subdomains they are always like that so i will be just fine.

I tough widcards doesn’t support the top domain, but i was hoping i am wrong. Sometimes it sux to be right :smiley:

thanks for explaining man. I really appreciate it.

Have a wonderful week !


#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.