Hacker News new | ask | show | jobs
by creshal 3735 days ago
Until Let's Encrypt came around we've heavily depended on wildcard certificates (several domains with 100+ customer facing subdomains), so any other alternative would have been massively more expensive.

But with LE allowing scripted certificate generation, we're just moving to that instead.
1 comments
haroldp 3735 days ago
How do you plan to get around LE's 5 subdomains per 7 day period limit? You can only get about 60 subdomains in theory, and that only if you stagger the registrations out carefully over three months and never make any mistakes.
link
jewel 3735 days ago
If appropriate for your use case, you can get your domain added to the public suffix list [1]. Then the restrictions no longer apply.

This has side-effects with browsers and cookies so you wouldn't want to do it on a domain without understanding the impact.

[1]: https://github.com/publicsuffix/list/blob/master/public_suff...

P.S. In the unlikely event that someone involved is reading this, PLEASE make this a DNS attribute that is set on the top-level domain instead, in a TXT record perhaps. It's silly that we have to have a globally coordinated and distributed list for this data.

link
pfg 3735 days ago
> P.S. In the unlikely event that someone involved is reading this, PLEASE make this a DNS attribute that is set on the top-level domain instead, in a TXT record perhaps. It's silly that we have to have a globally coordinated and distributed list for this data.

The Dbound WG[1] was working on this, but sadly didn't seem to get anywhere.

[1]: https://tools.ietf.org/wg/dbound/

link
pfg 3735 days ago
You can get up to 100 SANs on one certificate, which will only increase your rate limit counter by one.

Works nicely if you have a (mostly) fixed list of subdomains, but becomes hard or impossible to manage if subdomains are dynamic.

link
creshal 3735 days ago
You can get 100 subdomains per certificate, you're only limited to 5 certificates per domain per week.

That's largely sufficient for our use case, but we're still staggering renewal for certificates on our main domains. So far it's no problem because renewal is fully automated and we're leaving buffers.

link