Lets Encrypt Certs and Adding hackspace.org.uk to the Public Suffix List


#1

[This was on the uk-hackspaces mailing list, reposting here where it’s more useful].

[Update: looks like the PSL backlog has been cleared?]

[Edit, update rate limit url and details]

Hi,

We’ve started using Lets Encrypt[1] for TLS certificates at London Hackspace but there is an issue - Let’s encrypt rate limits certificates on a per domain basis to no more than 20 a week[2] - that’s certificates per domain, not names per certificate, so you can issue a single cert with multiple names on it.

For hackspace.org.uk this is a problem - we have multiple users under the domain, all of whom are likely to want to manage there own certificates and are unlikely to want to share certificates with others.

We can try to work around the 5 cert issue by co-ordinating when people get certs (the limits do not apply for renewal), but I suspect that that will turn out to be an annoying mess.

There is an alternative - The Public suffix list:

https://publicsuffix.org/

Which is a list of domain names that have subdomains that are under control of multiple parties. It’s used by browsers to stop people setting cookies for the parent domain (e.g. foo.co.uk used to be able to set a cookie for co.uk which all other co.uk domains would see), and by lets encrypt to relax the rate limit for domains in the PSL.

I’d like to get hackspace.org.uk added to the public suffix list.

https://publicsuffix.org/submit/

Unfortunately looking at the issues and pull requests open in there repo:

It will take a while to get the list updated, so we may be stuck with the current situation for while.

In the meantime if you do want to use letsencrypt please use the staging server until you are sure your setup is working before getting a cert issued - that lessens the chance that we accidently burn through some of the 20 certs a week limit.

https://letsencrypt.org/docs/staging-environment/

[1] a free, semi automatic certificate authority, https://letsencrypt.org/
[2] https://letsencrypt.org/docs/rate-limits/

P.S. In a sort of related note if you have a delegated hackspace.org.uk domain rather then a cname and want to do DNSSEC I can put DS records in hackspace.org.uk for you.