Wildcard Certificate Limit (solved)

Hi folks,

I'm wondering if there is a limit to how many wildcard certificates you can generate per hosts.

Example, Web Services *.domain.uk, Mail Server *.domain.uk that covers all subdomains on Load Balancers, Mail Wildcard that services smtp.domain.uk, imap,domain.uk, mail.domain.uk

in theory is there a limit of a wildcard certificate on one giving domain? wildcard for Load Balancers & wildcard for Mail Services or not? or would it be better to service a SSL Certificate on Mail side for smtp, imap, mail ?

Regards

Jack

If you are going to independently generate a new identical cert at each system, then you can only get 5 per week.
If the certs will somehow contain unique names, then 50 per week.
Note: Each cert can contain up to 100 SAN entries.

If you are going to exceed any of those limits, I would recommend that you look into obtain less certs and a secure method of sharing them between nearby/similar systems.

See: Rate Limits - Let's Encrypt

Why would you need so many identical certs? Whynot use a single one multiple times?

Thanks for the reply,

Web Services SSL Certs are handled by two Load Balancers, Wildcard Certificates will be handled on the Load Balancers.

Mail Services will have SSL Certificate on the backend for SMTP 587 & 993 question is can i have two wildcard certificates on both Load Balancers aswell as backend Mail Server ? mx1, mx2 ?

Reason why I have, I have configured BIND9 to allow domain.uk & *.domain.uk which works perfectly fine but the issue I have is i am trying to figure out how to add support for subdomains within /var/lib/bind/db._acme-challenge.domain.uk Zone. When I try and generate a SSL Certificate for subdomains I get a ServFail.

Ideally I want a Wildcard on the Load Balancers to serve services with a wildcard and a SSL Certificate on mail server side for smtp.domain.uk, imap.domain.uk and mail.domain.uk but I can't seem to figure out how to add subdomains to the zone. API with BIND works with generating wildcard SSL Certs and subdomains so I know it's not that.

Here is a example for the zone I have this works perfectly fine with Generating Certificates for domain.uk & *.domain.uk.

$ORIGIN _acme-challenge.domain.uk.
$TTL 43200      ; 12 hours

@       IN      SOA     ns1.domain.uk. noc.domain.uk. (
                        2025012606 ; serial
                        28800      ; refresh (8 hours)
                        7200       ; retry (2 hours)
                        604800     ; expire (1 week)
                        86400      ; minimum (1 day)
                        )
        IN      NS      ns1.domain.uk.
        IN      NS      ns2.domain.uk.

So I then added the following to the zone for the subdomain but still doesn't seem to work.

$ORIGIN _acme-challenge.domain.uk.
$TTL 43200      ; 12 hours

@       IN      SOA     ns1.domain.uk. noc.domain.uk. (
                        2025012606 ; serial
                        28800      ; refresh (8 hours)
                        7200       ; retry (2 hours)
                        604800     ; expire (1 week)
                        86400      ; minimum (1 day)
                        )
        IN      NS      ns1.domain.uk.
        IN      NS      ns2.domain.uk.

smtp    IN      TXT     ""

I've got it partially working but not with subdomains.

Regards

What do you mean Single one multiple times?

I need to SSL for both Load Balancers and Mail Servers. issue is .domain.uk & *.domain.uk Wild Card works fine, I can also generate .domain.uk without *.domain.uk which also works.

When trying to use generate a Certificate for subdomains i.e smtp.domain.uk & imap.domain.uk for a example it fails although certbot is able to use the API to create the jnl file but it fails with servfail.

Regards

If your web services and mail server both use a certificate for *.domain.uk, they could use the same certificate, strictly speaking no need to issue the same cert twice.

Your question regarding failing issuance for specific subdomains is a separate one from your "wildcard certificate limit", which is no different than any other rate limit.

Mail server and Web Services can't share the same Certificate due to mail clients using SMTP 587 & IMAP 993. Unless you proxy Mail Services which i am avoiding.

Issue i am having is .domain.uk & *.domain.uk works but when trying to generate a SSL Cert for smtp.domain.uk for example it fails, not only that mail exchanger 1 and 2 lives in two different locations for failover for our business.

Regards

I don't understand. Why can't they share a certificate? I can perfectly point my Apache webserver, my Dovecot IMAP server AND my Postfix SMTP server to the same certificate and private key on my server. Even if these services are on separate physical servers, one can distribute the same certificate to those servers. Ports are not relevant for certificates in any way.

Just use the wildcard certificate?

I do not know what you mean by Point the mail server, web server to the same certificate ? these are not on the same host, they are separate.

That's why I said:

I've found the problem, after looking further subdomains also need to be delegated in separate Zones without delegation it will fail.

I will keep you posted and report back. My concert was whether you could use more than one wildcard certificate.

Regards

Good evening,

This can be marked as solved now, I have done some more testing with staging Certificates and solved the problems with SSL Certificates for Subdomains and BIND.

Regards

Jack

Excellent. Just tick the checkmark box on the bottom of the post that most helped you.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.