[ACME] Auto SAN Detection

[adamgoose]

Assuming Let'sEncrypt is enabled, and onDemand=true...

• A request comes for domain.com - an automatic SSL Certificate is requested.
• A request comes for foo.domain.com - an automatic SSL certificate is requested. :(

What would be really useful, is the following workflow:

• A request comes for domain.com - an automatic SSL Certificate is requested.
• A request comes for foo.domain.com - Traefik realizes that it already has a Cert for domain.com, thus it re-issues that same cert and adds the SAN foo.domain.com.

This would drastically decrease certificate issues, thus lowering the chance of someone trying to spin up several domains (such as myself) of reaching their Let'sEncrypt Rate Limit.

[adamgoose]

Sounds like a job for @Jsewill ;)

[mvdstam]

This would drastically decrease certificate issues, thus lowering the chance of someone trying to spin up several domains (such as myself) of reaching their Let'sEncrypt Rate Limit.

I'm not sure Letsencrypt works that way when I look at their policy:

To make sure you can always renew your certificates when you need to, we have a Renewal Exemption to the Certificates per Registered Domain limit. Even if you’ve hit the limit for the week, you can still issue new certificates that count as renewals. An issuance request counts as a renewal if it contains the exact same set of hostnames as a previously issued certificate.

In other words, although this is a nice idea in princible, it won't change anything regarding reaching rate limits.

[adamgoose]

Good point. So changing the list of hostnames will count as an issue, as opposed to a renewal. :(

Bummer. Thanks for pointing it out!