Adding subdomains to Let's Encrypt edge certificate not allowed

We have a ordered an advanced certificate with Let’s Encrypt. We originally specified mydomain.com and *.mydomain.com as domains for the certificate hostnames. Now we want to add more sub-domains. It says that we have to cancel and recreate our certificate to do this (This is going to interrupt our operation, which is crazy, but that’s another topic for another day). So I delete our Let’s Encrypt certificate, so I can add it back again with more subdomains. However we’re not allowed to specify more subdomains. The input box is greyed out, despite saying that we’re at 48 out of 50 allowed hostnames. Any idea what’s wrong?

The ultimate solution would allow me to add subdomains to our certificate while it’s still “running”, so to speak. In a secondary solution I’d settle for just being able to add subdomains to our certificate even if it involves downtime.

Hi @markus.jevring,

You can issue the new one before deleting the old one, so there will be no downtime.

As the docs say, you can’t chose a LE cert if you want to specify custom hostnames.

Selecting Let’s Encrypt as a CA limits a certificate to txt validation_method, 90 validity_days, omission of cloudflare_branding, and 2 host entries (one for the zone name and one for the subdomain wildcard of the zone name, e.g. example.com, *.example.com).

https://developers.cloudflare.com/ssl/edge-certificates/advanced-certificate-manager

Wow, that was really fast, thanks! =)
I had no idea about the limitation of the two hostnames. Especially since the docs say I can use up to 50 of them. Is this a limitation for everyone or just people on the free tier? Our actual domain, i.e. not the one I’m experimenting with, is in the enterprise tier. We use normal cert-manager for other things, and that seems to have no problem specifying more sub-domains for Let’s Encrypt.

No problem :slight_smile:

If you select Digicert as the authority, you can add hostnames, it’s just LE that you can’t.

If you really want LE rather than DigiCert, you could talk to your account team about it, but the same limitations apply for my Enterprise zone with ACM.

No, I don’t think it’s a Let’s Encrypt restriction, I’m not too sure why it is the case.

Alright, thanks for the help. I’ll see how we can work around our subdomain issue in other ways, then.

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.