GUI cert limit
-
Hi!
Is there a cert limit in GUI?
I can only add 36 domain names with standalone verification mode.
Regards,M
-
What happens when you try to add more?
Why do you need that many on a single certificate? It can be a bit of a security problem to do that for many domains. If you need multiple hostnames on a single domain, you could use a wildcard certificate. If you use multiple domains on a single cert, then you are potentially giving out information about all the domains you host together on a single machine to anyone who connects. For some that doesn't matter much, but it's offering more info than you need to supply to potential attackers.
-
Hi!
This is for 1 server only ansd for same app but multiple domains, security is not an issue here so I decided for this method.
When I try to add more it lets me and when you save it all ok. But when you open it again, what you just saved is not there, so it just trims it out. -
OK, it looks like there is a limit around there, due to how many variables the page tries to submit:
Warning: Unknown: Input variables exceeded 5000. To increase the limit change max_input_vars in php.ini. in Unknown on line 0I opened an issue to track it at https://redmine.pfsense.org/issues/9368
You could hand edit
/etc/rc.php_ini_setupand change the line that setsmax_input_varsto a higher value to work around it temporarily, but I wouldn't consider that the best (or a proper) solution.Increasing it to
15000would ensure you could make around 100 entries which is the SAN limit per ACME certificate.After editing that file, either reboot or use options 16 then 11 from the console menu to restart PHP and the GUI.
-
Ok thanks.
But what is proper solution?
If acme supports up to 100 so should pfsense package... -
I'm not sure what the proper solution will end up being. The way that form submits information it submits a lot of unnecessary form fields, so fixing that somehow will probably be the right way, but I'm not sure how easy that will be. I didn't write that part of the code.
Safe to say it will be some time before that is fixed. Yes, the ACME limit is 100 but in practice few people need anywhere near that many domains on a single certificate, especially now that you can get wildcards.
-
Its microsoft app.
Wildcard not supported
Has to use one cert only otherwise popups occur
Believe me I would go different way if it was supported
-
Why are you using ACME on pfSense to make its cert then? Use an ACME Client on windows to do it.
-
Im reverse proxying the requests to lan
-
Ah, so the client doesn't support wildcards, not the server. I'd call it dumb, but that's implied from it being a Microsoft app.
If you are using HAProxy to reverse proxy, I believe it can still use a different cert for specific domains. You don't have to stuff them all in a single cert if it's handling the SSL/TLS.
-
Now I have 4 certs covering 3 domains each. And I get popups about different domain stuff because of certs... If I have 1 big fat cert no popups
-
Skype for business is simple answer.
Tried with wildcard but no go...
Also cant tinker whole lot because of 450 users -
The temp fix works OK.
-
There is a patch to try on the redmine issue I linked to previously. I'll try it out today and if it works, then I'll add it into ACME. Looks good at a glance.
-
Hi!
Will try it out later today with staging cert :)
Thanks a lot guys!
-
If you update to the latest version of the ACME package, the patch is included. You will no longer need that
max_input_varsworkaround.
