coolaj86
commented
3 years ago I think 100 is the Let's Encrypt limit. Shouldn't affect the CSR lib though.
Have you hit this multiple times, or just once?
Closed KenEucker closed 3 years ago
coolaj86
commented
3 years ago I think 100 is the Let's Encrypt limit. Shouldn't affect the CSR lib though.
Have you hit this multiple times, or just once?
KenEucker
commented
3 years ago I have been debugging this issue for several weeks now and finally determined what changed in my environment is just the number of domains. I might try to isolate it to an exact number.
KenEucker
commented
3 years ago Am I doing this wrong? Should I be using a wildcard? Can I support hundreds of subdomains on a single host with wildcards?
coolaj86
commented
3 years ago What's your use case?
If you're a webhost, then you should submit your domain to the PSL (Public Suffix List). Generally it's better to have hundreds of certificates than try to put hundreds of domains on each certificate.
The idea behind multiple-domains per certificate is usually for related services hosted on the same IP address where you want to reduce the latency of the TLS connection - such as hosting apiexample.com, assets.example.com, www.example.com, and example.com all from the same cert.
If you're trying to create sub-domains for accounts or client devices, then you should probably be chunking out certificates scoped to the customer.
KenEucker
commented
3 years ago @coolaj86 my use case is that I have a couple of domains pointed at one server, with a growing number of new subdomains underneath each of those domains. The goal is to support the branching off and separation of some of these domains to other servers in the future, but, at the moment it's a single server serving more than 50 subdomains under each host and two host domains.
biketag.org portland.biketag.org seattle.biketag.org etc...
AND
biketag.us portland.biketag.us seattle.biketag.us etc...
A wildcard of .biketag.org and .biketag.us would work, I suppose, for now. That would make it impossible to separate the individual subdomains to separate servers in the future but for now I have to address this issue and allow the site to grow.
coolaj86
commented
3 years ago You can use *.biketag.org biketag.org *.biketag.us biketag.us on as many servers as you like with greenlock and then route the DNS as you see fit.
There's no limitation that because one server handling these dozen domains already uses a wildcard that another server can't also use a wildcard for its (same or) different domains.
KenEucker
commented
3 years ago @coolaj86 thank you so much for explaining this to me. I am going to close this issue as it is not what I originally thought was blocking me.
I look forward to implementing these wildcards, instead.
KenEucker
commented
3 years ago @coolaj86 I don't want to reopen this issue but I was wondering if you might be able to help me with the acme-dns-01-cli package. I am seeing this error:
bad challenge dns-01 module config{"options":{"debug": true}}
https://git.coolaj86.com/coolaj86/acme-dns-01-cli.js/issues/2
I have an express server running greenlock-express and I have noticed that as I have increased the number of subdomains that I intend to support, I get an error:
Error cert_issue: | Cannot read property 'children' of undefined which points to a line 305 in the file node_modules/@root/csr/csr.js.
I think that the number of domains I am attempting to register is the only factor in the creation of this error.