The Problem what i have is I was making a web application on my domain hriship.live, I had to make a file-cdn service (For Providing mirror for my softwares). I used google for this but when i checked cert logs I saw everytime i use Google Hosting it first generates an Lets Encrypt Certificate (for only one domain ie- file-cdn.hriship.live ) and then after some time I see a Google Trust Services SSL (a SAN with 100 random domains) on my domain . If google issues their own certificate then why do they generate Let's Encrypt Certificate .
1 Like
For more thing , they generate two R3 Certificates for one single domain , without any need !
https://crt.sh/?q=file-cdn.hriship.live
1 Like
Hi hpws,
That's interesting. I've never hosted an application/site on GCE/GKE so I can't comment on how their system functions. Can you share more about how you're using GCE/GKE?
As for the two certificates issued from R3, one of them is called a precertificate, or precert, which is for Certificate Transparency, or CT. In a precert you'll see the following text.
CT Precertificate Poison: critical
2 Likes
Welcome to the Let's Encrypt Community 
In addition to the method @Phil mentioned, the second row of a certificate page on https://crt.sh will have either "Summary Precertificate" or "Summary Leaf certificate".
1 Like
Google is made up of thousands of smaller development groups and they will have varying standards/processes between groups. I'm guessing this is a difference between Google Domains and Google Cloud. I wouldn't worry about it.
1 Like
Have you, or any other admin, attempted to install an ACME client to obtain a cert for that name?
[perhaps there are multiple ACME clients at play - each seemingly capable of obtaining a cert]
[there appears to be a substantial time difference between the two certs (>19 hours)]
1 Like
If you're using Google's "Firebase Hosting" product (which in turn uses Fastly who use Let's Encrypt), it could be explained by that.
I believe Firebase used to only provide a shared SSL certificate (with other customers' SANs) unless you were on a certain plan, because Fastly charged extra for dedicated non-shared certificates.
This is a guess, but maybe Firebase continue to generate both types of certificate, even if you are eligible for the dedicated one.
In any case I think it's a question to send to Google.
3 Likes
@Phil I use Google Firebase , Let me tell you whole thing . Google Allows hosting static sites on their hosting platform , which i use currently as a file cdn service as told above . Whenever I connect any custom domain to google through A records , they generate an R3 Certificate for my domain which is seen for just 4 hours until they get 100 domains and they Generate their own GTS SSL . I asked the thing to their support , I was replied that its the system how their whole (enitre hosting system) works . I was surprised why they are wasting millions (may be billions or Quadrillion (probably not this much also )) of certificates if they have their own Certification authority and they do generate SSLs for Free
1 Like
As much as i know they told they have their own servers. I contacted their support but they unknowingly closed my ticket . They just told that the support staff cant change the protocols for the system which powers millions of websites and generates 500 ssls in day (SAN of 100 domains) and after this they closed the ticket
1 Like
We've seen a lot of confusion around here with Firebase's practices. In particular, people tend to become rather alarmed when a completely unrelated domain name appears as the common name (CN) on their certificate.
1 Like
Hmm , thats if they dont know SAN and common name
1 Like
But my topic is very different , Practically Its wastage of Certificates in my terms
Which google doesnt care at all (But I care :))
1 Like
The problem is that one of the SANs (usually at random) becomes the common name field. Personally, I am all for certificate displays just omitting the (obsolete) common name field altogether and just listing the SANs directly at the top.
1 Like
It seems pretty pointless to create trusted certificates temporarily just to throw them away.
1 Like
This is what i am speaking , you get it now
1 Like
This practice seems rather abusive of Let's Encrypt's resources. Any thoughts on this @JamesLE and @Phil?
1 Like
I worry about this || but never thought much because of Giant google and small people||
But in Terms and Valid Resorces , Its really bad a very very bad idea what google is doing Right now @lestaff
Please take a look into it
1 Like
I already tagged two of them specifically who have been around recently tonight.
1 Like
whoops ........................... i didnt notice that thing
1 Like
No worries. Give them time. For being a very small team, they're surprisingly fleet and responsive. It is Friday night though and they've had a busy week, so please be patient.
1 Like