[toupeira]

This uses LetsEncrypt which doesn't support wildcard certificates yet:

> Will Let’s Encrypt issue wildcard certificates?

> We currently have no plans to do so, but it is a possibility in the future. Hopefully wildcards aren’t necessary for the vast majority of our potential subscribers because it should be easy to get and manage certificates for all subdomains.

From https://community.letsencrypt.org/t/frequently-asked-questio...

[pytrin]

Unfortunately, that doesn't work with dynamic subdomains (i.e, domains assigned and edited by users). Hopefully they'll change their minds in the future - until then, I'll be paying for a commercial certificate

[dyladan]

You could always script the letsencrypt API and generate a new certificate on each subdomain generation.

[pfg]

That's correct, however there are rather aggressive rate limits in place right now that would make this hard for your typical SaaS-on-a-subdomain deployment if you have more than ~5 new signups per week. Plus, if SAN support is a concern, wildcards are preferable too.

[jrochkind1]

The rate limits[1] I see documented are 500 registrations per 3 hours. That's a lot more than ~5 new signups per week. More like ~16800 new signups per week, no?

[1] https://community.letsencrypt.org/t/rate-limits-for-lets-enc...

[pfg]

Certificates/Domain is the one that would affect this use-case the most. It's set to 5 certificates per domain per week. More specifically, it's certificates per TLD+1, so one certificate for customer1.example.com and one for customer2.example.com would put your rate limit for example.com at 2, thus limiting you to 5 signups per week unless you spread your SaaS over multiple TLD+1's.

[zaroth]

Wildcards are important and LE should support them, but it will take perhaps some more work on the validation rules. Dynamic subdomains are powerful stuff, and even a real-time automated cert request is a poor substitute for just having the wildcard. If you're doing sub-domain per customer, the wildcard cert is definitely preferred particularly if you're proper multi-tenant all the way down the stack.

[jrochkind1]

Ah, I didn't catch that this limit was applied to the TLD+1.

Weird, why allow a generous 500 registrations per 3 hours, while limiting certs per domain like this? Anyone have a link to anywhere that letsencrypt explains what they are trying to do here?

[derefr]

How do they define a TLD? What's, for example, .co.uk to them?

[asddubs]

Oh that's a bummer, I was just looking into using this for a free service I made a while ago. Hopefully they'll bake in support at some point

[finnn]

Note that that's the current limits, but they have stated that they plan to raise them greatly in the future

[x0]

5 certs per domain name per week. I'm currently rate limited, I should be able to get my www covered in 6 days.

[novaleaf]

i almost went down this route, then realized I could avoid all this R&D and just pay $40 for a wildcard cert.

[pytrin]

$40? I paid over $90 for mine. Can I ask where you got it from?

[mfkp]

https://www.ssl2buy.com/alphassl-wildcard.php

Here's where I got mine, works great.

[pytrin]

Nice! Bookmarked for next renewal. Thanks!

[novaleaf]

as mfkp said, that's where I got mine too.

Important though, for compatability with firefox and some other browsers, you'll need to copy the intermediate cert to the end of the cert file. it works fine with 2 certs in the file, just put the intermediate at the end.

[gaia]

Having only a half a dozen subdomains, with maybe another half a dozen being added per year (well below the limits), are there any advantages to using a wildcard cert VS individual certs for the subdomains? In other words, any way to justify the extra $30/year for a wildcard cert?

[thecrazyone]

If you're thinking you're going to use LE, they're rate limits which make individual certs for sub domains unreasonable