It still might get annoying (for both sides) if you request thousands of them, + you might not want to publish a list of all valid ones. Example: The issue came up in relation to sandstorm.io, which uses (for security reasons) a subdomain for every document that exists on a server.
Perhaps I'm ignorant, but I don't see how the LE guys would be annoyed about thousands of requests for TLS certs from a single user. The system is automated, after all. :)
> + you might not want to publish a list of all valid ones.
I assume that you mention this to illustrate a scenario where certs with a bunch of SANs is not a solution to the problem? If you weren't, does LE do something like publishing a list of all of the domains for which they have issued certs?
> but I don't see how the LE guys would be annoyed about thousands of requests for TLS certs from a single user. The system is automated, after all. :)
We have to actually run a complicated server that does things with an external Hardware Security Module. CPU time, disk space, and bandwidth all cost money, and there's a finite amount of money we can spend on resources :)
Thus, rate-limits. That also helps keeps latency low for most users, and prevents DDOSing.
I looked into it a while ago (it would be fine for me if it worked) but I think the problem I came up against was if I'm using virtual hosts in apache, I'm not sure I can use two different certs for a.mydomain.com and b.mydomain.com. If I'm wrong please tell me!
Yes you can, even on the same IP address with a technique called SNI. It's built into Apache and all common web browsers so you don't even have to worry about it.
Sounds good, do I need to change my apache config? Currently I have a bunch of port 80 virtual hosts that permanently redirect to their https/443 counterparts which are also virtual hosts and those all offer the same wildcard *.mydomain.com certificate. Or will apache just do SNI if I use a bunch of different certs?
According to this comment, [0] it looks like wildcard certs haven't been ruled out, but have been deferred due to rather thorny issues regarding getting automated validation right.
