How to create a standard LetsEncrypt certificate to use with subdomains of Multisite?

Hi all, i have generated a certificate to use with the main domain of my network, has i use multisite with subdomains the other hosts will not use the same certificate, is there any way to add more hosts to the certificate?

Also, if i want to install a new certificate to use with other subdomain which is mapped for a domain name how can i generate a new certificate with letsencrypt to use with for that domain name?

Thank you

  • Sajid

    Hi Pedro,
    Hope you are doing good today!

    According to lets encrypt FAQ, it does not support Wildcard Subdomains SSL. Please refer to their official FAQ page of lets encrypt. See Will Let’s Encrypt issue wildcard certificates?
    https://community.letsencrypt.org/t/frequently-asked-questions-faq/26

    I have also pinged Jenni who wrote an article about SSL certificate by lets encrypt to get her invaluable feedback on this matter as well.

    For mapped domain, you need to get another SSL certificate for that specific domain or you can also use single/same certificate for multiple domains via SAN method.

    See Can I get a certificate for multiple domain names (SAN certificates)? section in lets encrypt's official FAQ page here:
    https://community.letsencrypt.org/t/frequently-asked-questions-faq/26

    Take care and have a nice day :slight_smile:

    Best Regards,
    Sajid

  • Jenni McKinnon

    Hey Pedro,

    Before I wrote the article on Let's Encrypt, I chatted with them and they let me know that they do not offer wildcard SSL certificates.

    The idea is that you can get as many standard certificates as you want so wildcard certificates aren't really necessary, though, they may look at doing it in the future.

    If you would like to use domain mapping with Multisite and use Let's Encrypt certificates, you would need to use an SNI (Server Name Indication) because you would otherwise need a dedicated IP address for each domain which isn't supported for Multisite. An SNI would take care of that.

    Here are some links with a bit more info:

    https://en.m.wikipedia.org/wiki/Server_Name_Indication

    https://pressable.com/blog/2016/01/14/better-ssl-encrye-indication-sni/

    https://mediatemple.net/community/products/dv/204643720/hosting-multiple-ssl-certificates-on-a-single-ip-address-with-sni

    Let us know if you have anymore questions. :slight_smile:

    Cheers,

    Jenni

    • Pedro

      Hi Jenni, i have my server setup with SNI which isn't a problem, i already have letsencrypt and certbot installed on the server and have some domains using letsencrypt, but for multisite i can't properly setup or add subdomain hosts to the certificate.

      I have crawled the web in hope to see if there was ways of adding the subdomains to the certificate and i have also read the article about wildcards aren't in letsencrypt plans...but has you said letsencrypt will support wildcards in the future that is awesome :slight_smile:.

      Also i have read somewhere that its possible to add only 100 subdomains on the same certificate of the main domain, but i don't know how to generate the certificate to add more subdomains into it.

      It would be great if you provide some articles explaining it :smiley: :slight_smile:

      Thank you very much and regards

  • Daniel

    Take a look at this thread in LE forum
    https://community.letsencrypt.org/t/support-for-sub-domains-and-wildcard-certificates/17067

    They recomend this https://github.com/xenolf/lego

    "I want to know if LetsEncrypt allows me to cover this domain and sub-domains?
    For example, http://www.simonbell.com, mail.simonbell.com, docs.simonbell.com?

    Yes, you can get certificates for any subdomain combination. Note that you will have to pass the domain ownership challenge for each domain separately (i.e. passing the ownership challenge for simonbell.com does not automatically allow you to get certificates for any subdomain of simonbell.com). For internal servers that do not have a publicly accessible IP address, your best bet is probably the DNS-01 challenge type, which lets you verify domain ownership using a TXT record with a challenge token.

    Certbot currently does not support this challenge type. My personal recommendation would be lego410, as it has good documentation and a lot of available integration plugins for various DNS providers, allowing you to automate this challenge type. A number of other clients, such as the bash clients79, support DNS-based challenges as well."

    "Can LetsEncrypt handle two level sub-domain? For example, venture1.sales.simonbell.com, venture2.sales.simonbell.com.

    There are no limitations as to the "depth" of the domains included in your certificate - this should work. As long as you know the list of (sub)domains ahead of time, and you don't need too many different domains covered, Let's Encrypt would be fine for your use-case.

    Some of the limits you should be aware of:

    You can have up to 100 different FQDNs on the same certificate. As an example, you could have one certificate covering all domains from venture1.sales.simonbell.com to venture100.sales.simonbell.com.
    You can get up to 20 certificates per week per registered domain (that would be simonbell.com in your example, so the TLD plus one DNS label). To pick up the previous example, you could get 20 certificates with 100 FQDNs per certificate, covering venture1.sales.simonbell.com...venture2000.sales.simonbell.com in one week. Renewals do not count towards that limit, so in the following week you could add another 2,000 FQDNs."

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.