[LeonM]

Is there still a valid use-case for wildcard certificates when using Lets Encrypt? AFAIK wildcards were used for financial reasons and laziness (since the traditional method of acquiring a cert was cumbersome), but with LE none of those arguments make sense.

Why not just fetch a different cert for every subdomain you use? It's also better security practice as this allows you to use different key per subdomain and the possibility to revoke bad or unused certs.

[deadbunny]

LE rate limits[1] can be a hassle in large environments. Their solution is SAN certs which are IMHO only mildly better than wildcards.

1. https://letsencrypt.org/docs/rate-limits/

[LeonM]

I did not know about that, thanks for sharing that information!

[TorKlingberg]

It's needed if you use a subdomain for each user, like for example Tumblr does.

[isostatic]

I have servers that are firewalled off from the wider internet, or indeed not even reachable (rfc1918 ips)

I could get around it by hosting split dns, but that’s quite messy

Even on those that are reachable I’d have to carve out port 80 and forward it somewhere else to do the cert generation.

Another option would be dynamic server names - where the host part contains a lot of information (or no info)

https://gafjsisi.slashdot.org I suspect has never been loaded before today. It seems to work from my phone so I assume it’s a wildcard cert

[Koffiepoeder]

Also, if you own a very big amount of subdomains (say > 100), you want to minimize the number of certificates you want to manage/renew for easier maintenance and renewal.

[LeonM]

I don't agree on this one. The whole point of the ACME protocol is that it allows for automated certificate management. Thus, it shouldn't matter if you manage 1 of 10000 subdomains, because you should automate it anyway.

Also, if for some reason the automated process fails, I'd rather have one subdomain go down, than all of them.

[Sahbak]

You do have rate limits, so if you need to spin up a lot of subdomains you won't really have a choice