Using Certbot for 400+ Domain Environments


#1

I try to create a cert, but got a error:
Error creating new authz :: too many currently pending authorizations

I use this command:
certbot-auto -c certbot.ini

my certbootini has only one line:
domains = domain.ru, www.domain.ru, subdomain.domain.ru and etc

I have ~400 subdomains in this config.

I read another topics with this problem, but that not help me.

What i need to solve this problem in my situation?
Or It’s not possible to create cert to 400+ domains in letsencrypt?


#2

@mapt

A careful review of the documentation would tell you that the maximum number of SANs per certificate is 100.

https://letsencrypt.org/docs/integration-guide/

What would you like to do next?

Andrei


#3

Thanks for answer. In was my mistake.

What would you like to do next?

I don’t know now. Go to try find another solution…


#4

I am going to be fairly honest here

once you are getting to the 400+ domain range a wild card certificate starts making sense

Let’s Encrypt doesn’t currently offer these but if you are going to look at buying one can you think about getting one from GlobalSign or DigiCert. Both in my opinion help PKI and the adoption of the secure web so if you have to spend money it should be supporting CAs which do that.

Andrei


#5

Why wouldn’t you break up your certbot.ini file into 4 parts, each containing 100 domains at most. (cerbot1.ini, certbot2.ini etc.)


#6

this has been discussed a few times

This adds an additional challenge of having to manage multiple VHOSTS and mapping VHOSTS to certs

There is a effort to reward metric here and most people who have gone down this path agree the flexibility of a Wildcard outweighs manual workarounds

If you are interested I can dig up previous discussions.

Andrei


#7

yup even approaching 10+ subdomains would be better for wildcard ssl cert from the point of view of performance as the size of the ssl certificate would be much larger for letsencrypt SANs ssl cert especially at 100 domains.


Changing to Lets Encrypt from RapidSSL WildCard Certificate
#8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.