What happens when renewing a certificate with an invalid SAN domain?


this is a more abstract question. I have 114 domains that need a certificate. The limit of SANs for one certificate is 100 if that is still correct so that would require me to have 3 certificates (with www. that makes 228 names).

But what happens if one of those domains gets canceled and it no longer exists?
Will it proceed to generate the certificate but exclude the domain that couldn’t be verified? Or will it exit with an error and not finish the certificate? I don’t want to find out one day that the certificate wasn’t renewed because of that and 100 domains no longer have a valid SSL cert.

The alternative to this would be to create 114 “normal” certificates but that is a lot of effort when first setting it up.

Could someone enlighten me here? :smiley:


It depends on the ACME client you're using, but

That's most likely.

Removing domains after one failed renewal is a bad idea -- what if there's a ten minute DNS outage, your ACME client happens to renew one of your certificates, and half your domains get dropped?

Making 114 different certificates might be difficult to set up, but it's the conceptually simple option.

Managing 3 certificates requires a lot of complicated logic. I'm sure some people have implemented it, but I don't know if any of that software is open source. :confused:

Also, keep in mind that the Certificates per Registered Domain rate limit mean that constantly issuing certificates to add or remove domains is problematic for the other domains included in the certificate.

1 Like

Thank you very much!
I guess I’m gonna go with the 114 certificate route then, your point about the renewal during a DNS outage makes sense.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.