5

Using Certbot to install an R3 Let's Encrypt certificate on an nginx webserver causes all the other domains in the nginx configuration to be included under "Subject Alternative Name" on the certificate. This is undesirable for my use case.

I read the man page here and some other Stack Exchange posts here and here.

Regarding the use of alternative names, the man page says (and I don't fully understand):

-d DOMAIN, --domains DOMAIN, --domain DOMAIN Domain names to apply. For multiple domains you can use multiple -d flags or enter a comma separated list of domains as a parameter. The first domain provided will be the subject CN of the certificate, and all domains will be Subject Alternative Names on the certificate. The first domain will also be used in some software user interfaces and as the file paths for the certificate and related material unless otherwise specified or you already have a certificate with the same name. In the case of a name collision it will append a number like 0001 to the file path name. (default: Ask)

How can I specify or omit the Subject Alternative Names entirely when using Certbot to install a Let's Encrypt certificate? If Certbot can't, is there a different way while still using R3 Let's Encrypt certificates?

Peter Mortensen
  • 2,319
  • 5
  • 23
  • 24
Altimus Prime
  • 334
  • 2
  • 7
  • 20
  • 1
    Pay attention to Let's Encrypt certificate issuance quotas in case you need to create a lot of individual certificates. The main limits are Certificates per Registered Domain (50 per week) and a maximum of 300 New Orders per account per 3 hours. https://letsencrypt.org/docs/rate-limits/ – John Hanley Oct 19 '21 at 19:43
  • Adding to @JohnHanley 's comment, ZeroSSL has no such rate limits - might be a good alternative to consider (in fact, it's the default CA for acme.sh since August). – iBug Oct 20 '21 at 19:30
  • @iBug - ZeroSSL is a nice service. However, you are limited to three SSL certificates per 90 days. You can upgrade to a paid account to remove that limitation. – John Hanley Oct 20 '21 at 19:40
  • 1
    @JohnHanley That limit does *not* apply when using ACME. – iBug Oct 20 '21 at 19:40
  • 1
    @iBug - thank you. I found a link that confirms your comment: https://zerossl.com/documentation/acme/ – John Hanley Oct 20 '21 at 19:45

1 Answers1

19

You don't really want to omit the Subject Alternative Names. If you omit the SAN no modern browser will accept your certificates as valid. If you don't want all domains in one certificate, just create them separately.

Altimus Prime
  • 334
  • 2
  • 7
  • 20
Gerald Schneider
  • 19,757
  • 8
  • 52
  • 79