Error creating new cert :: CSR contains more than 100 DNS names
andrewgluh opened this issue · 6 comments
Hi,
I have just tried using release 0.9.6 (thanks for the update btw).
However after running for approx 20 minutes it continually gets the attached error.
If you'd like the full log (approx 20MB), let me know and I can DM it to you.
It's not clear from your description - are you actually trying to issue a cert with more than 100 DNS names? If so, that's a Let's Encrypt limit. You can work around it by issuing multiple certs: https://github.com/ohadschn/letsencrypt-webapp-renewer#multiple-certificates-for-a-single-site.
If you aren't trying to issue a cert with more than 100 DNS names and you believe this to be a bug with the WebJob, the full log would indeed be a good start, maybe share via OneDrive or some file upload site (or maybe even attach here, not sure about GitHub limits).
Hi Ohad,
Yes it was just a single domain name for the cert.
I was able to downgrade to v0.8.5.1 and it worked successfully.
I will send you a DM with the full log.
Thanks!
(Replied via e-mail)
Updating our offline discussion here -
Looking it at the first 10 lines of the log, it looks you have indeed configured more than 100 domains for a single cert. The new version deals with host name renewals more intelligently, and the reason the old version worked was that it missed one of the domains you recently added (renewing all the domains except the new one). The new version however detected this and tried try to create a new cert containing all of them, which failed as there were more than 100.
I recommend you use the groups feature to separate these to several certificates (see link in the GitHub issue) - even one per domain if you're so inclined. Simply have all the settings shared except hosts which you can separate as you'd like. If you don't want to do this manually, modifying the configuration script to do it for you should be straightforward.
Thanks Ohad,
We appreciate the time you put into this code!
Yes, we have over 100 hostnames configured on the web app, however they all have individual certificates which has worked well with this code up until release 0.9.6.
The issues we see are:
- We only had a small number of certs that require renewing, however the new logic seems to want to create a single certificate for all hostnames whether they need renewing or not. This is an unexpected change in behavior. (Previously we had to use the standard WebApp extension to initially create the cert. This created a single cert per host and the renewals via your code were therefore always 1 per hostname)
- This change breaks the renewXNumberOfDaysBeforeExpiration setting, as all certificates are being renewed as soon as a new hostname is added to the list.
- Creates a breach of privacy as it will allow anybody to see all our customer names via the SSL certificate.
The new logic works well when you have a small number of your own hostnames that you want to manage, but for those that want to manage their customer SSL renewals, this solution no longer works as it previously did.
I will look in to the group feature, but this seems like it would need an overwhelming number of settings to give us a single cert per hostname.
A new setting to renew a single certificate per hostname would solve the issue (e.,g. CreateCertificatePerHost). Is this something you could consider?
I will look in to the group feature, but this seems like it would need an overwhelming number of settings to give us a single cert per hostname.
Which is why I suggested you modify the configuration script to automate it. To reiterate: I recommend you use the groups feature to separate these to several certificates (see link in the GitHub issue) - even one per domain if you're so inclined. Simply have all the settings shared except hosts which you can separate as you'd like. If you don't want to do this manually, modifying the configuration script to do it for you should be straightforward.
So per host name you would only have a single setting that looks like webAppName[foo]-hosts = foo.com and you would append webAppName[foo] to letsencrypt:webApps.