Wildcard Certificate limit 50 or 25 for domain + subdomain

Hello. Tell me please.
How many certificates per week can I create with command
docker run --rm -v / tmp / certbot: / var / www / certbot -v / etc / letsencrypt: / etc / letsencrypt certbot / dns-route53 certonly --expand -n --dns-route53 --dns-route53 -propagation-seconds 60 -d 'example.com' -d '*. example.com' -m $ {EMAIL} --agree-tos --preferred-challenges dns

50 or 25?

Here's a link to the official rate limit documentation for reference.

It's hard to answer your question without clarifying what you mean. Are you running this command with the exact same set of example.com and *.example.com each time such that each run is creating a duplicate certificate? Or will each command be for a different domain? If they're different, are they different registered domains like example1.com, example2.net? Or are they different sub domains like sub1.example.com and sub2.example.com?

2 Likes

If the command will not change, then the certs will all be duplicates of each other and a rate limit of 5/week will be applied.
If the command will be changing and new, and different, domains will be used, then the rate limit would not apply; as the limits are based per domain or per exact same set of names.
But as provided by @rmbolger, there is page with a more complete detailed explanation of all the rate limits.

On re-read it seems that you are trying to expand an existing cert by merely listing the new domain entries to add.
That is NOT how it would work.
When expanding a cert you would still have to list all the previous names AND also the new ones.
image

From the docks, I didn't understand the answer. Therefore, I wrote a question.
These will be subdomains.
Example of 2 requests

  1. docker run --rm -v / tmp / certbot: / var / www / certbot -v / etc / letsencrypt: / etc / letsencrypt certbot / dns-route53 certonly --expand -n --dns-route53 --dns-route53 -propagation-seconds 60 -d 'sub1.example.com' -d '*.sub1.example.com' -m $ {EMAIL} --agree-tos --preferred-challenges dns
  2. docker run --rm -v / tmp / certbot: / var / www / certbot -v / etc / letsencrypt: / etc / letsencrypt certbot / dns-route53 certonly --expand -n --dns-route53 --dns-route53 -propagation-seconds 60 -d 'sub2.example.com' -d '*.sub2.example.com' -m $ {EMAIL} --agree-tos --preferred-challenges dns
    ...
  3. docker run --rm -v / tmp / certbot: / var / www / certbot -v / etc / letsencrypt: / etc / letsencrypt certbot / dns-route53 certonly --expand -n --dns-route53 --dns-route53 -propagation-seconds 60 -d 'sub50.example.com' -d '*.sub50.example.com' -m $ {EMAIL} --agree-tos --preferred-challenges dns

50 or 25 per week?

I don't understand why you are using --expand.
You might be using it incorrectly.
Other than that...
It would be 50 certs/week/domain.
[each cert can have from 1 to 100 entries - it is still counted as 1 cert]

2 Likes

now I have 4 certificates on the environment.(root and another)
running from --expand, I overwrite the existing certificate(root). Otherwise, a separate certificate is created using a new path.

You should use --cert-name for that.
That way it always uses the same cert name and path.

But if you are overwriting the previous cert, then only one subdomain will be secure at any given moment.

If you are going to change the cert more than 50 times per week...
Is this a test/lab?
If so, then you might want to use a test/lab domain, one that is already on the PSL.
Like many of the FREE DDNS domains.

No. it's prod.

Thank you. It was just embarrassing -d 'sub1.example.com' -d '*.sub1.example.com'. Worried about what could be considered 2 certificates.

I'm not familiar with such a use case.

It's prod but the subdomain name changes many times per week.
And presumably doesn't cycle back to any previous names...
It just keeps counting upwards...

How unique!

you will hit 100 SANs(names) per certificate limit soon if you need to automate add domains to certificate

We create clients.
client1.example.com, api.client1.example.com, sub.client1.example.com; certs -d client1.example.com -d *.client1.example.com
client2.example.com, api.client2.example.com, sub.client2.example.com; certs -d client2.example.com -d *.client2.example.com
....
clientN.example.com, api.clientN.example.com, sub.clientN.example.com; certs -d clientN.example.com -d *.clientN.example.com

I need to overwrite the already created clients who now have 4 certificates instead of a wildcard.
New clients don't need to overwrite anything.

That is, by creating certificates as I indicated, I can only create 100 certificates in general?
-d 'sub1.example.com' -d '.sub1.example.com'
...
max -d 'sub100.example.com' -d '
.sub100.example.com'
?

OK, so you're trying to convert existing individual client certs to wildcard.
Assuming that all do contain the same base domain, the hard limit would be 50 conversions per week.

1 Like

no 100 names in single certificate, like https://1000-sans.badssl.com/ but with 100 names

Please tell me. Will I be able to create a lot of certificates for domain (example.com) in this way? 500 or more?
-d 'sub1.example.com' -d ' *.sub1.example.com'
...
-d 'sub500.example.com' -d ' *.sub500.example.com'

is there no limit to this?

There is no practical limit to how many you can create in total.
There are limits on how many per week.

1 Like

Yes, but slowly - 50/week maximum.

I suspect there is but I haven't found anyone to have reached it yet.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.