search

ohadschn / letsencrypt-webapp-renewer

[PLEASE USE FREE MS MANAGED CERTS INSTEAD] Simple WebJob-ready console application for renewing Azure Web App SSL certificates
https://www.ohadsoft.com/
Apache License 2.0
282 stars 51 forks source link

Error creating new cert :: CSR contains more than 100 DNS names #77

Closed andrewgluh closed 5 years ago

andrewgluh commented 5 years ago

Hi,

I have just tried using release 0.9.6 (thanks for the update btw).

However after running for approx 20 minutes it continually gets the attached error. If you'd like the full log (approx 20MB), let me know and I can DM it to you.

ssl_renew_log_truncated.txt

ohadschn commented 5 years ago

It's not clear from your description - are you actually trying to issue a cert with more than 100 DNS names? If so, that's a Let's Encrypt limit. You can work around it by issuing multiple certs: https://github.com/ohadschn/letsencrypt-webapp-renewer#multiple-certificates-for-a-single-site.

If you aren't trying to issue a cert with more than 100 DNS names and you believe this to be a bug with the WebJob, the full log would indeed be a good start, maybe share via OneDrive or some file upload site (or maybe even attach here, not sure about GitHub limits).

andrewgluh commented 5 years ago

Hi Ohad,

Yes it was just a single domain name for the cert. I was able to downgrade to v0.8.5.1 and it worked successfully.

I will send you a DM with the full log.

Thanks!

ohadschn commented 5 years ago

(Replied via e-mail)

ohadschn commented 5 years ago

Updating our offline discussion here -

Looking it at the first 10 lines of the log, it looks you have indeed configured more than 100 domains for a single cert. The new version deals with host name renewals more intelligently, and the reason the old version worked was that it missed one of the domains you recently added (renewing all the domains except the new one). The new version however detected this and tried try to create a new cert containing all of them, which failed as there were more than 100.

I recommend you use the groups feature to separate these to several certificates (see link in the GitHub issue) - even one per domain if you're so inclined. Simply have all the settings shared except hosts which you can separate as you'd like. If you don't want to do this manually, modifying the configuration script to do it for you should be straightforward.

andrewgluh commented 5 years ago

Thanks Ohad, We appreciate the time you put into this code!

Yes, we have over 100 hostnames configured on the web app, however they all have individual certificates which has worked well with this code up until release 0.9.6. The issues we see are:

The new logic works well when you have a small number of your own hostnames that you want to manage, but for those that want to manage their customer SSL renewals, this solution no longer works as it previously did.

I will look in to the group feature, but this seems like it would need an overwhelming number of settings to give us a single cert per hostname.

A new setting to renew a single certificate per hostname would solve the issue (e.,g. CreateCertificatePerHost). Is this something you could consider?

ohadschn commented 5 years ago

I will look in to the group feature, but this seems like it would need an overwhelming number of settings to give us a single cert per hostname.

Which is why I suggested you modify the configuration script to automate it. To reiterate: I recommend you use the groups feature to separate these to several certificates (see link in the GitHub issue) - even one per domain if you're so inclined. Simply have all the settings shared except hosts which you can separate as you'd like. If you don't want to do this manually, modifying the configuration script to do it for you should be straightforward.

So per host name you would only have a single setting that looks like webAppName[foo]-hosts = foo.com and you would append webAppName[foo] to letsencrypt:webApps.