I run a small web hosting and design business and I’ve been working to integrate LE into our production workflow for new and existing customers. One of the goals being 100% required HTTPS. Everything came together surprisingly quickly using certbot and our existing Apache-based systems (with most sites running Wordpress).
In fact, I thought I was done, but during migration testing, I learned my understanding of the rate-limiting restrictions was flawed. Here is the workflow as it stands:
- New customer signs up, user is created
- New site is created (CustomerSite1.com)
a. Site ID is generated (54321)
b. Apache is configured using URL 54321.site.MyHosting.com as ServerName and CustomerSite1.com as ServerAlias
c. Certificate is created using: certbot certonly --cert-name 54321 -w /docroot/54321 -d 54321.site.MyHosting.com
- Site is developed / configured / transferred / etc.
- Migration of production URL
a. Customer updates DNS on their domain (CustomerSite1.com) to point to 54321.site.MyHosting.com
b. Certificate 54321 is expanded to include CustomerSite1.com
All of this works perfectly. The key value is always the site ID. Work can start immediately on the site, using proper HTTPS, and not effect the existing site or be dependent on new domain registration delays. It also easily facilitates additional domain aliases and changes of domain names.
But it seems to run into a few snags with LE:
- After creating my 10th site, certificates began getting rejected due to the used of (1) [siteid].site.MyHosting.com initially and (2) expansion to include CustomerSite1.com with each site.
- It also seems – and I’m not sure if this is still the case – that renewals use up your 20 allowed per 7 days. Since all of our certs will have random expiration dates, and each includes [siteid].site.MyHosting.com in addition to any customer domains, this would likely leave us with no ability to setup new sites on many days of the quarter.
This is a pretty simple workflow that isn’t all that uncommon (temporary urls). I’m not excited about the idea of playing games to dance around these restrictions, which will inevitably add complexity. I’d like to know:
- Is my understanding correct.
- Will/does LE supporting this kind of workflow?
Also, thanks to all involved on this project. It’s great to see happen.