Wildcard and "Duplicate Cerificate" Rate Limit


#1

Hello, I been spending some time dealing with diferent problems between load balancers and ssl, so i’ve been very exited since the first anounce of wildcard support, that and the cloudflare dns plugin, reeeely made my life very very easy.
However, i’d like to present my use case, in order to sugest and expansion of the “duplicate certificate” limit, in the specific case that the duplicate limit is reached by using the wildcard feature.

Originally i’ve got the following diagram:

www.domain.com
vod.domain.com        
                    edge1.domain.com
                  /
origin.domain.com  
                  \
                    edge2.domain.com

Due to the incresed usage, we have to upgrade our infrastructure as follow:

front1.domain.com \
                   www.domain.com
front2.domain.com /

vod1.domain.com   \
                   vod.domain.com
vod2.domain.com  /                   edge3.domain.com
                                    /  
                   edge1.domain.com -- edge4.domain.com
                 /                
source.domain.com                    edge5.domain.com
                 \                 /             
                   edge2.domain.com -- edge6.domain.com

Were www,and vod are now load balancers, and we have multiple load balancers routing trafic to the edge servers.

as you can see, on the vod and the front servers, we can use a simple cert pointing to the load balancers, but in the edge servers we need up to 6(in this stage) wildcards.

I’ve belive that i’m not alone in this problem, and of course we can wait for a week to get the missing wildcard, but I think that you could expand the criteria of duplicated certificates, when using wildcards, because the natural use of wildcards could archive the current limit very easily.


#2

Couldn’t you just add a unique, unused identifier name to each certificate, so they’re not considered duplicate anymore?


#3

Hello _ax thanks for your answer.

I’ve try it, but all the wildcards were requested with “domain.com” and “*.domain.com”
and when i’d try to add “anything.domain.com” it throws me an error about redundancy whit the wildcard


#4

Then you can just add a new / remove the base domain.

Thank you

(You don’t necessarily need the base domain if you aren’t deploying the cert on www & root)


#5

Oh yes, but maybe I didn’t explain my point.

My current problem is really easy to solve, as you said removing the base domain and of course waiting, but it is no the problem.

the problems will begin in a few months when we need to duplicato or trplicate the quantity of servers.

But, it could be the solution to remove the redundancy check, so we can request
pairs like:

edge1.domain.com
*.domain.com

edge2.domain.com
*.domain.com

etc.


#6

Hi @Dat30,

You can’t because *.domain.com covers the third level domain so LE will trigger the redundancy error, however, you can use a 4th level domain whatever.edge1.domain.com.

Cheers,
sahsanu


#7

I’ve just tested your suggestion, and it is perfect :smiley:
my install script will need just a little modification to generate
an aleatory 4th level subdomain, but definitely it did the trick

Many thanks.


#8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.