Let's Encrypt: Be able to secure a domain with 100+ domain aliases by splitting the domain aliases in multiple certificates, instead of one
A domain in Plesk has 100+ domain aliases.
Currently, when securing this domain and all its aliases with a Let's Encrypt certificate, procedure fails due to a Let's Encrypt rate limit of 100 names per certificate.
Use case:
Domain in Plesk is a multisite.
One installation is facilitating a lot of websites, running from the same core-CMS.
All the sites on this multisite need to point to the same installation and the domain alias is the only solution to do so.
It is these domain aliases that should be secured with a Let's Encrypt certificate.
-
mn commented
I did some further research and it seems IIS can do it if you use IIS Centralized SSL Certificate Support.
And I see that Plesk supports this feature, so we would just need more info on what would be the plesk behavior when using an alias.
As I understand the IIS feature, when using aliases each alias would need its own file in the centralized store, so will plesk create one certificate with many SANs and create a copy for each alias? or will plesk create a separate certificate for each alias?
-
mn commented
We have a domain with many aliases, over time we expect the list of aliases to grow.
Let's encrypt creates one certificate for all aliases.
This creates two issues:
1. Some of the aliases are subdomains, when letsencrypt attempts to add www.subdomain.alias.com it fails (because there is a dns entry only for subdomain.alias.com and not for www.subdomain.alias.com). plesk shows the error and continues, but it's an extra error, and I have to check each time to make sure the errors are only the expected errors and not a new unexpected error).
2. Over time as the list grows longer the process will take longer and longer each time and eventually will reach the limit of 100 SAN per certificate. If we can do each alias as a separate certificate it would be easier.
(I understand it might not be possible for IIS to do that).
-
Anonymous commented
Here -> If possible you can use a wildcard Certificate from Let's Encrypt: