Using one (1) SAN certificate with multiple servers (without hitting rate limit)


#1

Hi everyone.

I’ve been trying to find the answer to this question online, and I have a mixed understanding from some of the dialog that I’ve seen so far.
I have already been successful in deploying the Let’s Encrypt BETA across several servers in a 1-to-1 certificate-to-site capacity.

I’ve now hit the current “5 certs in 7 day” rate limit, and through my research, I’m wondering if my setup qualifies for a single SAN certificate, instead of multiple individual certs.

My setup is as follows:

Server 1
IP: 10.10.10.10

Domains:
hello.mydomain.com
abc.mydomain.com
123.mydomain.com

and

Server 2
IP: 192.168.0.0

Domains:
aplha.mydomain.com
beta.mydomain.com
gamma.mydomain.com

I’ve read other articles and forums related to this topic such as:

  1. One issuer server for multiple servers
  2. Let’s Encrypt in manual mode
  3. subjectAltName (SAN)
  4. Two questions about 5 cert per domain rate limit
  5. Too many certificates already issued

… to name a few.


My main 3 questions are:

A) Is it possible to have ONE (1) “SAN” type certificate for (copied to) TWO (2) different servers that have the same “Top Level Domain” (with multiple sub-domains) shared between machines?

B) Will this be counted as only “1” unit, towards the Let’s Encrypt rate limit of “5 certs in 7 days”?

C) In the post “Using Let’s Encrypt in manual mode” (linked above), it mentions:

“…Note that each domain you submit must be accessible both from the internet and from the computer where the letsencrypt program is run…”

Even if all these URLs are accessible from the Internet, as they are on 2 different servers, when the letsencrypt program runs, will it allow for sub-domains NOT hosted on that particular server to be added to the SAN certificate?

Thanks, I appreciate the advice in advance…


#2

Hi @chrischarles,

If you do issue all of these in a single cert, that should not reach the rate limit, and it’s possible to copy certs and private keys onto as many machines as you want (Let’s Encrypt doesn’t know or control how many machines you use the certs on). (Please do be careful to use a secure method when copying private keys between machines!)

There is the outstanding question © about how to get all of the SANs into a single cert when they’re hosted on different machines. I believe that the only simple answer to that currently is the DNS challenge, which would allow you to create DNS records to confirm your control over each name during the cert request process, without requiring a connection to the server that listens for that name. It might also be possible to do it with manual mode (making the relevant configuration changes on the relevant server as appropriate), although this would be time-consuming and error-prone, especially when trying to repeat the process periodically for cert renewals.


#3

As long as you have an ssh connection between the servers, and ssh keys, then you can use the alternate client https://github.com/srvrco/getssl to automatically perform all the challenges etc to obtain the certificate.


#4

well some people might think that it might not be possible so quickly for multipe servers because some stupid CA has nothing better to do than to make certs that are for just one server (dont ask me how they do it, I wanna know that myself)


#5

It is very simple to centralize everything on a single node at least in manual mode:
This nginx snippet works like charm centralizing all LE requests:

location ^~ /.well-known/acme-challenge/ {
	proxy_pass http://10.0.0.10/.well-known/acme-challenge/ ;
	proxy_set_header Host $host;
	proxy_buffering off;
	tcp_nodelay on;
}