{"id":1770,"date":"2025-11-13T15:45:49","date_gmt":"2025-11-13T12:45:49","guid":{"rendered":"https:\/\/www.dchost.com\/blog\/lets-encrypt-rate-limitlerine-takilmadan-cok-alan-adinda-ssl-san-wildcard-acme-challenge-ve-tatli-stratejiler\/"},"modified":"2025-11-13T15:45:49","modified_gmt":"2025-11-13T12:45:49","slug":"lets-encrypt-rate-limitlerine-takilmadan-cok-alan-adinda-ssl-san-wildcard-acme-challenge-ve-tatli-stratejiler","status":"publish","type":"post","link":"https:\/\/www.dchost.com\/blog\/lets-encrypt-rate-limitlerine-takilmadan-cok-alan-adinda-ssl-san-wildcard-acme-challenge-ve-tatli-stratejiler\/","title":{"rendered":"Let\u2019s Encrypt Rate Limit\u2019lerine Tak\u0131lmadan \u00c7ok Alan Ad\u0131nda SSL: SAN\/Wildcard, ACME Challenge ve Tatl\u0131 Stratejiler"},"content":{"rendered":"<div class=\"dchost-blog-content-wrapper\"><div id=\"toc_container\" class=\"toc_transparent no_bullets\"><p class=\"toc_title\">\u0130&ccedil;indekiler<\/p><ul class=\"toc_list\"><li><a href=\"#Giris_Bir_Pazartesi_Sabahi_Bir_Yigin_Domain_ve_Kirmizi_Cizgiler\"><span class=\"toc_number toc_depth_1\">1<\/span> Giri\u015f: Bir Pazartesi Sabah\u0131, Bir Y\u0131\u011f\u0131n Domain ve K\u0131rm\u0131z\u0131 \u00c7izgiler<\/a><\/li><li><a href=\"#Rate_Limit_Nedir_Sadece_Cok_Istemek_Mi_Suc\"><span class=\"toc_number toc_depth_1\">2<\/span> Rate Limit Nedir, Sadece \u201c\u00c7ok \u0130stemek\u201d Mi Su\u00e7?<\/a><ul><li><a href=\"#Gercekte_ne_sinirlaniyor\"><span class=\"toc_number toc_depth_2\">2.1<\/span> Ger\u00e7ekte ne s\u0131n\u0131rlan\u0131yor?<\/a><\/li><li><a href=\"#Gundelik_hayattan_bir_benzetme\"><span class=\"toc_number toc_depth_2\">2.2<\/span> G\u00fcndelik hayattan bir benzetme<\/a><\/li><\/ul><\/li><li><a href=\"#SAN_mi_Wildcard_mi_Ne_Zaman_Hangisi_Ise_Yarar\"><span class=\"toc_number toc_depth_1\">3<\/span> SAN m\u0131 Wildcard m\u0131? Ne Zaman Hangisi \u0130\u015fe Yarar?<\/a><ul><li><a href=\"#SAN_sertifikalarin_tatli_yani\"><span class=\"toc_number toc_depth_2\">3.1<\/span> SAN sertifikalar\u0131n tatl\u0131 yan\u0131<\/a><\/li><li><a href=\"#Wildcardin_gucu_ve_siniri\"><span class=\"toc_number toc_depth_2\">3.2<\/span> Wildcard\u2019\u0131n g\u00fcc\u00fc ve s\u0131n\u0131r\u0131<\/a><\/li><li><a href=\"#Hibrit_dusunmek_cogu_zaman_daha_iyi\"><span class=\"toc_number toc_depth_2\">3.3<\/span> Hibrit d\u00fc\u015f\u00fcnmek \u00e7o\u011fu zaman daha iyi<\/a><\/li><\/ul><\/li><li><a href=\"#ACME_Challengelari_Sade_Sade_HTTP-01_DNS-01_ve_TLS-ALPN-01\"><span class=\"toc_number toc_depth_1\">4<\/span> ACME Challenge\u2019lar\u0131 Sade Sade: HTTP-01, DNS-01 ve TLS-ALPN-01<\/a><ul><li><a href=\"#HTTP-01_Dosyayi_koy_ve_dogrulat\"><span class=\"toc_number toc_depth_2\">4.1<\/span> HTTP-01: Dosyay\u0131 koy ve do\u011frulat<\/a><\/li><li><a href=\"#DNS-01_TXT_ile_kapiyi_acmak\"><span class=\"toc_number toc_depth_2\">4.2<\/span> DNS-01: TXT ile kap\u0131y\u0131 a\u00e7mak<\/a><\/li><li><a href=\"#TLS-ALPN-01_Daha_spesifik_durumlar\"><span class=\"toc_number toc_depth_2\">4.3<\/span> TLS-ALPN-01: Daha spesifik durumlar<\/a><\/li><\/ul><\/li><li><a href=\"#Cok_Alan_Adi_Icin_Strateji_Kumeler_Zamanlama_ve_Staging_ile_Provalar\"><span class=\"toc_number toc_depth_1\">5<\/span> \u00c7ok Alan Ad\u0131 \u0130\u00e7in Strateji: K\u00fcmeler, Zamanlama ve Staging ile Provalar<\/a><ul><li><a href=\"#Isimleri_mantikli_kumelere_ayirmak\"><span class=\"toc_number toc_depth_2\">5.1<\/span> \u0130simleri mant\u0131kl\u0131 k\u00fcmelere ay\u0131rmak<\/a><\/li><li><a href=\"#Zamanlamayi_yaymak_yenilemeyi_basamaklandirmak\"><span class=\"toc_number toc_depth_2\">5.2<\/span> Zamanlamay\u0131 yaymak, yenilemeyi basamakland\u0131rmak<\/a><\/li><li><a href=\"#Staging_ortami_ve_kuru_kosu\"><span class=\"toc_number toc_depth_2\">5.3<\/span> Staging ortam\u0131 ve kuru ko\u015fu<\/a><\/li><\/ul><\/li><li><a href=\"#Otomasyonun_Iskeleti_ACME_Istemcisi_DNS_API_ve_Geri_Basinc\"><span class=\"toc_number toc_depth_1\">6<\/span> Otomasyonun \u0130skeleti: ACME \u0130stemcisi, DNS API ve Geri Bas\u0131n\u00e7<\/a><ul><li><a href=\"#Istemci_secimi_ve_sade_boru_hatti\"><span class=\"toc_number toc_depth_2\">6.1<\/span> \u0130stemci se\u00e7imi ve sade boru hatt\u0131<\/a><\/li><li><a href=\"#DNS_saglayicilariyla_konusmak\"><span class=\"toc_number toc_depth_2\">6.2<\/span> DNS sa\u011flay\u0131c\u0131lar\u0131yla konu\u015fmak<\/a><\/li><li><a href=\"#Dagitim_sonrasi_kucuk_ama_kritik_dokunuslar\"><span class=\"toc_number toc_depth_2\">6.3<\/span> Da\u011f\u0131t\u0131m sonras\u0131 k\u00fc\u00e7\u00fck ama kritik dokunu\u015flar<\/a><\/li><\/ul><\/li><li><a href=\"#Sik_Dusulen_Cukurlar_DNS_TTL_CDN_Katmanlari_ve_Tekrar_Denemeler\"><span class=\"toc_number toc_depth_1\">7<\/span> S\u0131k D\u00fc\u015f\u00fclen \u00c7ukurlar: DNS TTL, CDN Katmanlar\u0131 ve Tekrar Denemeler<\/a><ul><li><a href=\"#TTLler_kucuk_kayitlar_dogru_mu\"><span class=\"toc_number toc_depth_2\">7.1<\/span> TTL\u2019ler k\u00fc\u00e7\u00fck, kay\u0131tlar do\u011fru mu?<\/a><\/li><li><a href=\"#CDN_ve_WAF_arkasi_surprizleri\"><span class=\"toc_number toc_depth_2\">7.2<\/span> CDN ve WAF arkas\u0131 s\u00fcrprizleri<\/a><\/li><li><a href=\"#Basarisiz_denemelerin_dag_gibi_buyumesi\"><span class=\"toc_number toc_depth_2\">7.3<\/span> Ba\u015far\u0131s\u0131z denemelerin da\u011f gibi b\u00fcy\u00fcmesi<\/a><\/li><\/ul><\/li><li><a href=\"#Buyuk_Resim_Cok_Kiracili_Duzenler_Audit_ve_Izlenebilirlik\"><span class=\"toc_number toc_depth_1\">8<\/span> B\u00fcy\u00fck Resim: \u00c7ok Kirac\u0131l\u0131 D\u00fczenler, Audit ve \u0130zlenebilirlik<\/a><ul><li><a href=\"#Cok_kiracili_multi-tenant_senaryolarda_akis\"><span class=\"toc_number toc_depth_2\">8.1<\/span> \u00c7ok kirac\u0131l\u0131 (multi-tenant) senaryolarda ak\u0131\u015f<\/a><\/li><li><a href=\"#Guvenlikte_makul_cizgiler\"><span class=\"toc_number toc_depth_2\">8.2<\/span> G\u00fcvenlikte makul \u00e7izgiler<\/a><\/li><\/ul><\/li><li><a href=\"#Kapanis_Sakin_Plan_Tatli_Otomasyon_Keyifli_Yenilemeler\"><span class=\"toc_number toc_depth_1\">9<\/span> Kapan\u0131\u015f: Sakin Plan, Tatl\u0131 Otomasyon, Keyifli Yenilemeler<\/a><\/li><\/ul><\/div>\n<h2 id=\"section-1\"><span id=\"Giris_Bir_Pazartesi_Sabahi_Bir_Yigin_Domain_ve_Kirmizi_Cizgiler\">Giri\u015f: Bir Pazartesi Sabah\u0131, Bir Y\u0131\u011f\u0131n Domain ve K\u0131rm\u0131z\u0131 \u00c7izgiler<\/span><\/h2>\n<p>Hi\u00e7 ba\u015f\u0131n\u0131za geldi mi? Pazartesi sabah\u0131 kahvenizi al\u0131p CI\/CD hatt\u0131ndan akacak o p\u0131r\u0131l p\u0131r\u0131l da\u011f\u0131t\u0131m\u0131 izlemeye niyetlenmi\u015fsiniz, ama ekranda turuncu bir uyar\u0131: <strong>rate limit a\u015f\u0131ld\u0131<\/strong>. Benim ba\u015f\u0131ma ilk kez \u00e7oklu m\u00fc\u015fteri kurulumunda geldi. Onlarca alt alan ad\u0131n\u0131 tek seferde yay\u0131na almak zorundayd\u0131k, her \u015fey yolunda derken Let\u2019s Encrypt \u201cbir dakika\u201d dedi. O an anlad\u0131m ki i\u015f sadece sertifikay\u0131 \u00e7ekmekle bitmiyor; <strong>zamanlama, grupla\u015ft\u0131rma, challenge se\u00e7imi ve otomasyon<\/strong> en az sertifikan\u0131n kendisi kadar \u00f6nemli.<\/p>\n<p>Bu yaz\u0131da tam da bunu konu\u015faca\u011f\u0131z. Let\u2019s Encrypt\u2019in rate limit mant\u0131\u011f\u0131n\u0131 g\u00fcnl\u00fck hayattan \u00f6rneklerle a\u00e7aca\u011f\u0131m. <strong>SAN ve wildcard<\/strong> sertifikalar\u0131n nerede parlad\u0131\u011f\u0131n\u0131, nerede k\u00f6\u015feye s\u0131k\u0131\u015ft\u0131rd\u0131\u011f\u0131n\u0131 payla\u015faca\u011f\u0131m. <strong>ACME challenge<\/strong> se\u00e7eneklerine net bir g\u00f6z at\u0131p, \u00e7ok alan ad\u0131n\u0131 g\u00fcvenle ve sakin kalarak nas\u0131l y\u00f6netebilece\u011finizi anlataca\u011f\u0131m. Mesela \u015f\u00f6yle d\u00fc\u015f\u00fcn\u00fcn: Elinizde y\u00fczlerce k\u00fc\u00e7\u00fck ta\u015f var ve onlar\u0131 tek bir sepete doldurmaya \u00e7al\u0131\u015f\u0131yorsunuz. Sepetin kapasitesini, ta\u015flar\u0131n boyutunu ve ta\u015f\u0131ma h\u0131z\u0131n\u0131z\u0131 iyi planlarsan\u0131z, kimse \u201cta\u015ft\u0131\u201d demeden var\u0131\u015fa ula\u015f\u0131rs\u0131n\u0131z. Hadi birlikte sepeti haz\u0131rlayal\u0131m.<\/p>\n<h2 id=\"section-2\"><span id=\"Rate_Limit_Nedir_Sadece_Cok_Istemek_Mi_Suc\">Rate Limit Nedir, Sadece \u201c\u00c7ok \u0130stemek\u201d Mi Su\u00e7?<\/span><\/h2>\n<h3><span id=\"Gercekte_ne_sinirlaniyor\">Ger\u00e7ekte ne s\u0131n\u0131rlan\u0131yor?<\/span><\/h3>\n<p>Rate limit, basit\u00e7e \u201cbir s\u00fcre i\u00e7inde ne kadar sertifika talep edebilirsin?\u201d sorusunun yan\u0131t\u0131. Let\u2019s Encrypt bunu birka\u00e7 katmanda d\u00fc\u015f\u00fcn\u00fcr: <strong>Alan ad\u0131 ba\u015f\u0131na<\/strong> toplam sertifika limiti, <strong>ayn\u0131 isim setiyle<\/strong> tekrar tekrar sertifika alma limiti ve <strong>ba\u015far\u0131s\u0131z do\u011frulama<\/strong> denemeleri gibi g\u00fcvenlik odakl\u0131 frenler. Tam rakamlar\u0131 ezberlemeye gerek yok; esas olan mant\u0131k. Ayn\u0131 hareketleri k\u0131sa aral\u0131klarla \u00e7ok tekrarlarsan\u0131z, sistem \u201cbir soluklan\u201d der. Bu soluklanma an\u0131, \u00fcretim trafi\u011finde can s\u0131kabilir.<\/p>\n<p>Ben ilk tak\u0131ld\u0131\u011f\u0131mda fark ettim: Sorun sadece miktar de\u011fildi, <strong>zamanlama ve tekrar<\/strong> da belirleyici. Bir grup sertifikay\u0131 be\u015f dakika i\u00e7inde \u00fcst \u00fcste denerseniz, limit duvar\u0131n\u0131 h\u0131zl\u0131ca g\u00f6r\u00fcrs\u00fcn\u00fcz. Oysa talebi <strong>par\u00e7alara b\u00f6l\u00fcp<\/strong> zamana yaymak, ba\u015far\u0131s\u0131z denemeleri azaltmak ve \u00f6nceden <strong>staging ortam\u0131nda<\/strong> prova yapmak i\u015fi tatl\u0131la\u015ft\u0131r\u0131yor. Resmi dok\u00fcmanlar\u0131 sakin bir ak\u015fam \u00fcst\u00fc okumak iyi geliyor; <a href=\"https:\/\/letsencrypt.org\/docs\/rate-limits\/\" rel=\"nofollow noopener\" target=\"_blank\">Let\u2019s Encrypt\u2019in rate limit a\u00e7\u0131klamalar\u0131<\/a> anla\u015f\u0131l\u0131r bir \u00e7er\u00e7eve sunuyor.<\/p>\n<h3><span id=\"Gundelik_hayattan_bir_benzetme\">G\u00fcndelik hayattan bir benzetme<\/span><\/h3>\n<p>Mesela \u015f\u00f6yle d\u00fc\u015f\u00fcn\u00fcn: Pop\u00fcler bir f\u0131r\u0131ndan y\u00fcz po\u011fa\u00e7a istiyorsunuz. F\u0131r\u0131n \u201chemen yapar\u0131m\u201d demez; tepsileri ard\u0131\u015f\u0131k \u00e7\u0131kar\u0131r, o arada siz de s\u0131rada kal\u0131rs\u0131n\u0131z. Sertifikalar da \u00f6yle. Tek tepside her \u015feyi pi\u015firmek yerine, <strong>seri \u00fcretim<\/strong> ritmi kurmak gerekir. \u00dcstelik bir tepsiyi yakt\u0131\u011f\u0131n\u0131zda (ba\u015far\u0131s\u0131z do\u011frulama) di\u011fer tepsilerin de gecikmesi ka\u00e7\u0131n\u0131lmaz olur. \u0130\u015fin p\u00fcf noktas\u0131, tepsileri do\u011fru boyutta ve do\u011fru aral\u0131klarla f\u0131r\u0131na vermek.<\/p>\n<h2 id=\"section-3\"><span id=\"SAN_mi_Wildcard_mi_Ne_Zaman_Hangisi_Ise_Yarar\">SAN m\u0131 Wildcard m\u0131? Ne Zaman Hangisi \u0130\u015fe Yarar?<\/span><\/h2>\n<h3><span id=\"SAN_sertifikalarin_tatli_yani\">SAN sertifikalar\u0131n tatl\u0131 yan\u0131<\/span><\/h3>\n<p><strong>SAN (Subject Alternative Name)<\/strong> sertifikalar, bir sertifikada birden fazla alan ad\u0131n\u0131 ve alt alan ad\u0131n\u0131 bar\u0131nd\u0131rman\u0131z\u0131 sa\u011flar. Bu, \u201ctek ta\u015fla birka\u00e7 ku\u015f\u201d etkisi yarat\u0131r: Y\u00f6netim basitler, yenileme ak\u0131\u015f\u0131 sadele\u015fir. Mesela m\u00fc\u015fteri paneli, API, CDN u\u00e7lar\u0131 ve birka\u00e7 \u00f6zel alt alan\u0131 tek SAN sertifikas\u0131nda toplayabilirsiniz. Ama burada ak\u0131lda tutman\u0131z gereken iki \u015fey var: Sertifikan\u0131za <strong>ekledi\u011finiz her isim<\/strong> onu yenileme ve da\u011f\u0131t\u0131m s\u0131ras\u0131nda sorumlulu\u011fa d\u00f6n\u00fc\u015ft\u00fcr\u00fcr ve pratik bir <strong>\u00fcst s\u0131n\u0131r<\/strong> bulunur. Yani her \u015feyi tek sepete doldurmak cazip dursa da, t\u00fcm yumurtalar\u0131 ayn\u0131 sepete koyman\u0131n g\u00fcnl\u00fck riskleri vard\u0131r.<\/p>\n<h3><span id=\"Wildcardin_gucu_ve_siniri\">Wildcard\u2019\u0131n g\u00fcc\u00fc ve s\u0131n\u0131r\u0131<\/span><\/h3>\n<p><strong>Wildcard (*.example.com)<\/strong> ise adeta joker kart\u0131 gibi. Tek hamlede ayn\u0131 k\u00f6k\u00fcn alt\u0131ndaki bir\u00e7ok alt alan ad\u0131n\u0131 kapsars\u0131n\u0131z. Yeni bir alt alan ad\u0131 a\u00e7\u0131ld\u0131\u011f\u0131nda, \u00e7o\u011fu durumda yeniden sertifika almadan i\u015finiz y\u00fcr\u00fcr. Ama bir \u015fartla: Wildcard almak i\u00e7in <strong>DNS-01 challenge<\/strong> gerekir. Bu da DNS sa\u011flay\u0131c\u0131n\u0131zla otomasyon kurmay\u0131 zorunlu k\u0131lar. Ayr\u0131ca wildcard, <strong>k\u00f6k alan ad\u0131n\u0131<\/strong> (example.com) otomatik kapsamaz; onu ayr\u0131ca eklemeyi unutursan\u0131z, beklenmedik bir 443 s\u00fcrprizi ya\u015fayabilirsiniz. Ben genellikle k\u00f6k alan ad\u0131 + wildcard kombinasyonunu ayn\u0131 sertifikaya koyar\u0131m; pratikte hayat kurtar\u0131r.<\/p>\n<h3><span id=\"Hibrit_dusunmek_cogu_zaman_daha_iyi\">Hibrit d\u00fc\u015f\u00fcnmek \u00e7o\u011fu zaman daha iyi<\/span><\/h3>\n<p>Ger\u00e7ek d\u00fcnyada en iyi sonu\u00e7, \u00e7o\u011fu zaman <strong>hibrit<\/strong> yakla\u015f\u0131mdan gelir. Kritik servisleri (panel, \u00f6deme, api) tek bir SAN alt\u0131nda toplay\u0131p, dinamik ve \u00e7ok say\u0131da alt alan ad\u0131 kullanan b\u00f6l\u00fcmler i\u00e7in wildcard se\u00e7mek gibi. B\u00f6ylece bir yandan yenileme trafi\u011fini dengeler, di\u011fer yandan i\u015f birimlerinin ba\u011f\u0131ms\u0131z ritmini korursunuz. Unutmay\u0131n, ama\u00e7 kolayl\u0131k kadar <strong>izlenebilirlik ve hata izolasyonu<\/strong>. Bir sertifika sorun \u00e7\u0131kard\u0131\u011f\u0131nda t\u00fcm siteler yerine sadece ilgili k\u00fcme etkilenmeli.<\/p>\n<h2 id=\"section-4\"><span id=\"ACME_Challengelari_Sade_Sade_HTTP-01_DNS-01_ve_TLS-ALPN-01\">ACME Challenge\u2019lar\u0131 Sade Sade: HTTP-01, DNS-01 ve TLS-ALPN-01<\/span><\/h2>\n<h3><span id=\"HTTP-01_Dosyayi_koy_ve_dogrulat\">HTTP-01: Dosyay\u0131 koy ve do\u011frulat<\/span><\/h3>\n<p><strong>HTTP-01<\/strong> g\u00f6z\u00fcn\u00fcz\u00fcn \u00f6n\u00fcne rahat\u00e7a canlan\u0131r: Sunucuda .well-known\/acme-challenge alt\u0131nda bir dosya yay\u0131nlars\u0131n\u0131z ve Let\u2019s Encrypt onu GET ile kontrol eder. Tek sunuculu, do\u011frudan internete a\u00e7\u0131k kurulumlar i\u00e7in idealdir. CDN veya WAF arkas\u0131nda ise bazen ekstra kural gerekir; \u00e7\u00fcnk\u00fc istekler ters vekillerde kaybolabilir. Y\u00fck dengeleme alt\u0131ndaki \u00e7oklu sunucularda, dosyan\u0131n t\u00fcm nodelara eri\u015fmesini ya da ak\u0131ll\u0131 y\u00f6nlendirme yapmay\u0131 planlamak \u015fart.<\/p>\n<h3><span id=\"DNS-01_TXT_ile_kapiyi_acmak\">DNS-01: TXT ile kap\u0131y\u0131 a\u00e7mak<\/span><\/h3>\n<p><strong>DNS-01<\/strong> wildcard i\u00e7in mecburi ve da\u011f\u0131t\u0131k mimarilerde \u00e7o\u011fu zaman en sa\u011flam se\u00e7enek. Bir TXT kayd\u0131 \u00fcreterek alan ad\u0131n\u0131n kontrol\u00fcn\u00fc kan\u0131tlars\u0131n\u0131z. Buradaki incelik, DNS sa\u011flay\u0131c\u0131n\u0131z\u0131n API\u2019siyle otomasyonu iyi kurmak ve <strong>TTL\/propagation<\/strong> gecikmelerine haz\u0131rl\u0131kl\u0131 olmak. Ben her zaman kay\u0131t eklenince birka\u00e7 saniye bekleme, ard\u0131ndan birka\u00e7 ba\u011f\u0131ms\u0131z resolver ile <strong>do\u011frulama testi<\/strong> yapma al\u0131\u015fkanl\u0131\u011f\u0131n\u0131 tavsiye ederim. \u00d6zellikle yo\u011fun g\u00fcnlerde DNS\u2019in biti\u015f \u00e7izgisine geli\u015fini g\u00f6rmeden start\u2019a basmay\u0131n.<\/p>\n<h3><span id=\"TLS-ALPN-01_Daha_spesifik_durumlar\">TLS-ALPN-01: Daha spesifik durumlar<\/span><\/h3>\n<p><strong>TLS-ALPN-01<\/strong> 443 portunda ALPN uzant\u0131s\u0131yla \u00e7al\u0131\u015f\u0131r. Baz\u0131 \u00f6zel altyap\u0131larda \u015f\u0131k bir \u00e7\u00f6z\u00fcm olabilir, ama \u00e7o\u011fu ekip i\u00e7in HTTP-01 ve DNS-01 kombinasyonu yeterince pratik. Hangi challenge\u2019\u0131 ne zaman se\u00e7ece\u011finizi karars\u0131zl\u0131kta b\u0131rak\u0131rsan\u0131z, <a href=\"https:\/\/letsencrypt.org\/docs\/challenge-types\/\" rel=\"nofollow noopener\" target=\"_blank\">Let\u2019s Encrypt\u2019in challenge t\u00fcrlerine dair sayfas\u0131<\/a> akl\u0131n\u0131z\u0131 netle\u015ftirir. Genel kural basit: CDN\/WAF veya \u00e7oklu node karma\u015fan\u0131z varsa DNS-01, basit tek node\u2019da h\u0131zl\u0131 kurulumsa HTTP-01.<\/p>\n<h2 id=\"section-5\"><span id=\"Cok_Alan_Adi_Icin_Strateji_Kumeler_Zamanlama_ve_Staging_ile_Provalar\">\u00c7ok Alan Ad\u0131 \u0130\u00e7in Strateji: K\u00fcmeler, Zamanlama ve Staging ile Provalar<\/span><\/h2>\n<h3><span id=\"Isimleri_mantikli_kumelere_ayirmak\">\u0130simleri mant\u0131kl\u0131 k\u00fcmelere ay\u0131rmak<\/span><\/h3>\n<p>Ben \u00f6nce projeyi k\u00fc\u00e7\u00fck tak\u0131mlara b\u00f6lerim: \u00e7ekirdek servisler bir k\u00fcme, pazarlama alt alanlar\u0131 ba\u015fka bir k\u00fcme, m\u00fc\u015fteriye \u00f6zel alt alanlar ayr\u0131 bir k\u00fcme gibi. Her k\u00fcmeye <strong>ayr\u0131 sertifika ritmi<\/strong> tan\u0131mlamak, yenileme g\u00fcn\u00fcn\u00fcz\u00fc sakinle\u015ftirir. Bir k\u00fcmeyi SAN ile, di\u011ferini wildcard ile \u00e7\u00f6zmekten \u00e7ekinmeyin. B\u00f6ylece limitlere tek y\u00f6nden y\u00fcklenmez, manevra alan\u0131 a\u00e7ars\u0131n\u0131z.<\/p>\n<h3><span id=\"Zamanlamayi_yaymak_yenilemeyi_basamaklandirmak\">Zamanlamay\u0131 yaymak, yenilemeyi basamakland\u0131rmak<\/span><\/h3>\n<p>Rate limitten ka\u00e7\u0131nman\u0131n en tatl\u0131 yolu, sertifika taleplerini zamana yaymak. Otomasyonunuza <strong>jitter<\/strong> eklemek, yani yenileme saatini k\u00fc\u00e7\u00fck rastgele sapmalarla kayd\u0131rmak, ayn\u0131 dakikada y\u00fczlerce iste\u011fin y\u0131\u011f\u0131lmas\u0131n\u0131 \u00f6nler. Sertifikalar\u0131n hepsi 90 g\u00fcn boyunca ge\u00e7erli; bu pencereyi iyi kullan\u0131p yenilemeyi <strong>kademeli<\/strong> hale getirmek stresi azalt\u0131r. Unutmay\u0131n, ba\u015far\u0131s\u0131z denemeler de saya\u00e7lar\u0131 etkiler; bu y\u00fczden \u00f6nce prova, sonra sahne.<\/p>\n<h3><span id=\"Staging_ortami_ve_kuru_kosu\">Staging ortam\u0131 ve kuru ko\u015fu<\/span><\/h3>\n<p>Benim en sevdi\u011fim kural: \u00d6nce <strong>staging<\/strong>, sonra prod. Let\u2019s Encrypt, limitleri farkl\u0131 ama davran\u0131\u015f\u0131 benzer bir <a href=\"https:\/\/letsencrypt.org\/docs\/staging-environment\/\" rel=\"nofollow noopener\" target=\"_blank\">staging ortam\u0131<\/a> sunuyor. Otomasyonunuzun challenge olu\u015fturma, DNS\/HTTP yayma, do\u011frulama ve sertifikay\u0131 depolama ad\u0131mlar\u0131n\u0131 burada ko\u015fun. Hatta \u201ckuru ko\u015fu\u201d yap\u0131p, DNS kay\u0131tlar\u0131n\u0131n ger\u00e7ekten g\u00f6r\u00fcnd\u00fc\u011f\u00fcn\u00fc birka\u00e7 resolver \u00fczerinden teyit etmeden prod\u2019a ge\u00e7meyin. Bu k\u00fc\u00e7\u00fck rit\u00fcel, canl\u0131da ataca\u011f\u0131n\u0131z yanl\u0131\u015f ad\u0131mlar\u0131n \u00e7o\u011funu perde arkas\u0131nda eritir.<\/p>\n<h2 id=\"section-6\"><span id=\"Otomasyonun_Iskeleti_ACME_Istemcisi_DNS_API_ve_Geri_Basinc\">Otomasyonun \u0130skeleti: ACME \u0130stemcisi, DNS API ve Geri Bas\u0131n\u00e7<\/span><\/h2>\n<h3><span id=\"Istemci_secimi_ve_sade_boru_hatti\">\u0130stemci se\u00e7imi ve sade boru hatt\u0131<\/span><\/h3>\n<p>\u0130ster Certbot kullan\u0131n, ister lego ya da acme.sh; \u00f6nemli olan <strong>boru hatt\u0131n\u0131z\u0131 sade tutmak<\/strong>. \u201cChallenge \u00fcret \u2192 kan\u0131t\u0131 yerle\u015ftir \u2192 do\u011frula \u2192 sertifikay\u0131 \u00e7ek \u2192 gizli anahtar\u0131 ve zinciri g\u00fcvenli sakla \u2192 servise s\u0131f\u0131r kesintiyle y\u00fckle \u2192 sa\u011fl\u0131k kontrol\u00fc\u201d zinciri net ve g\u00f6zlemlenebilir olmal\u0131. Her ad\u0131mda anlaml\u0131 log \u00fcretmek, sorun \u00e7\u0131kt\u0131\u011f\u0131nda paniklemeden kuyruklar\u0131 temizlemenizi sa\u011flar.<\/p>\n<h3><span id=\"DNS_saglayicilariyla_konusmak\">DNS sa\u011flay\u0131c\u0131lar\u0131yla konu\u015fmak<\/span><\/h3>\n<p>DNS-01 kullan\u0131yorsan\u0131z, sa\u011flay\u0131c\u0131n\u0131z\u0131n API\u2019siyle g\u00fcvenilir bir diyalog kurun. Ba\u015far\u0131s\u0131z isteklerde otomatik <strong>geri d\u00f6n\u00fc\u015f ve tekrar deneme<\/strong> mekanizmas\u0131 \u00f6nemli. Rate limitleri tetiklememek i\u00e7in exponential backoff ile yeniden denemeyi, her denemede k\u00fc\u00e7\u00fck bir jitter katmay\u0131 ihmal etmeyin. Propagation\u2019\u0131 beklerken do\u011frulama yapacak ba\u011f\u0131ms\u0131z resolver\u2019lar\u0131 elinizin alt\u0131nda tutmak da iyi bir al\u0131\u015fkanl\u0131k.<\/p>\n<h3><span id=\"Dagitim_sonrasi_kucuk_ama_kritik_dokunuslar\">Da\u011f\u0131t\u0131m sonras\u0131 k\u00fc\u00e7\u00fck ama kritik dokunu\u015flar<\/span><\/h3>\n<p>Sertifikay\u0131 \u00e7ekip sunucuya koyduktan sonra bitmiyor. Sunucu yaz\u0131l\u0131m\u0131n\u0131z\u0131n yeniden y\u00fcklemesini <strong>kesintisiz<\/strong> yapmak, ba\u011flant\u0131lar\u0131 k\u0131rmadan yeni zinciri devreye almak, yine otomasyonun omzunda. Ekip i\u00e7inde taray\u0131c\u0131 testleri, API smoke test\u2019leri ve basit curl kontrolleri ile 2-3 dakikal\u0131k bir \u201cye\u015fil \u0131\u015f\u0131k\u201d t\u00f6reni, geceleri rahat uyuman\u0131z\u0131 sa\u011flar. E\u011fer taray\u0131c\u0131 uyumlulu\u011fu akl\u0131n\u0131z\u0131 kurcal\u0131yorsa, <a href=\"https:\/\/www.dchost.com\/blog\/nginx-apachede-ecdsa-rsa-ikili-ssl-uyumluluk-mu-hiz-mi-ikisini-birden-nasil-alirsin\/\">Nginx\/Apache\u2019de ECDSA + RSA ikili SSL yakla\u015f\u0131m\u0131<\/a> hem h\u0131z hem uyumluluk taraf\u0131nda g\u00fczel bir denge sunar.<\/p>\n<h2 id=\"section-7\"><span id=\"Sik_Dusulen_Cukurlar_DNS_TTL_CDN_Katmanlari_ve_Tekrar_Denemeler\">S\u0131k D\u00fc\u015f\u00fclen \u00c7ukurlar: DNS TTL, CDN Katmanlar\u0131 ve Tekrar Denemeler<\/span><\/h2>\n<h3><span id=\"TTLler_kucuk_kayitlar_dogru_mu\">TTL\u2019ler k\u00fc\u00e7\u00fck, kay\u0131tlar do\u011fru mu?<\/span><\/h3>\n<p>Canl\u0131da en s\u0131k g\u00f6rd\u00fc\u011f\u00fcm aksilik, <strong>TTL\u2019lerin y\u00fcksek<\/strong> olmas\u0131 ve eski TXT kay\u0131tlar\u0131n\u0131n g\u00f6lgede kalmas\u0131. \u00d6zellikle DNS-01\u2019de, eski kay\u0131t temizlenmeden yeni kay\u0131t eklenince do\u011frulama tak\u0131l\u0131r. Ben \u00e7\u00f6z\u00fcm olarak \u201ceskiyi temizle, yeniyi koy, birka\u00e7 ba\u011f\u0131ms\u0131z resolver ile g\u00f6r\u00fcn\u00fcrl\u00fc\u011f\u00fc \u00f6l\u00e7, sonra do\u011frulat\u201d ritmini \u00f6neriyorum. TTL\u2019i makul seviyede tutmak ve kritik anlarda ge\u00e7ici olarak d\u00fc\u015f\u00fcrmek de i\u015fe yar\u0131yor.<\/p>\n<h3><span id=\"CDN_ve_WAF_arkasi_surprizleri\">CDN ve WAF arkas\u0131 s\u00fcrprizleri<\/span><\/h3>\n<p>HTTP-01\u2019de CDN ya da WAF kullan\u0131yorsan\u0131z, challenge yolunu <strong>bypass<\/strong> eden k\u00fc\u00e7\u00fck bir kural hayat kurtar\u0131r. Baz\u0131 g\u00fcvenlik duvarlar\u0131 .well-known yollar\u0131na al\u0131\u015fk\u0131nd\u0131r ama \u201cbir \u015feyler\u201d yine de \u00f6n\u00fcn\u00fc kesebilir. Trafigi kontrol eden her katman\u0131n challenge iste\u011fine sayg\u0131 g\u00f6sterdi\u011finden emin olun. G\u00f6z\u00fcn\u00fcz\u00fcn \u00f6n\u00fcnde olan engeller, canl\u0131da en \u00e7ok \u015fa\u015f\u0131rtanlard\u0131r.<\/p>\n<h3><span id=\"Basarisiz_denemelerin_dag_gibi_buyumesi\">Ba\u015far\u0131s\u0131z denemelerin da\u011f gibi b\u00fcy\u00fcmesi<\/span><\/h3>\n<p>Bir do\u011frulama ba\u015far\u0131s\u0131z oldu\u011funda, refleks olarak tekrar tekrar denemek isteriz. Oysa bu davran\u0131\u015f limit saya\u00e7lar\u0131n\u0131 davet eder. <strong>Sakin kalmak<\/strong>, log\u2019u okuyup k\u00f6k sebebi \u00e7\u00f6zmek, sonra temiz bir denemeye ge\u00e7mek en verimli yol. Otomasyon i\u00e7inde \u201cayn\u0131 ismi art arda h\u0131zla deneme\u201dyi engelleyecek k\u00fc\u00e7\u00fck bir fren, ans\u0131z\u0131n kar\u015f\u0131n\u0131za \u00e7\u0131kan duvarlar\u0131 inceltir.<\/p>\n<h2 id=\"section-8\"><span id=\"Buyuk_Resim_Cok_Kiracili_Duzenler_Audit_ve_Izlenebilirlik\">B\u00fcy\u00fck Resim: \u00c7ok Kirac\u0131l\u0131 D\u00fczenler, Audit ve \u0130zlenebilirlik<\/span><\/h2>\n<h3><span id=\"Cok_kiracili_multi-tenant_senaryolarda_akis\">\u00c7ok kirac\u0131l\u0131 (multi-tenant) senaryolarda ak\u0131\u015f<\/span><\/h3>\n<p>Bir platform onlarca m\u00fc\u015fteri alan ad\u0131n\u0131 y\u00f6netti\u011finde, h\u0131z caziptir ama <strong>izlenebilirlik<\/strong> daha de\u011ferlidir. Hangi alan ad\u0131n\u0131n hangi k\u00fcmeye ait oldu\u011funu, son yenilemenin ne zaman ve nas\u0131l yap\u0131ld\u0131\u011f\u0131n\u0131 tek bak\u0131\u015fta g\u00f6rmek isteyeceksiniz. Basit bir dashboard, hata oranlar\u0131, do\u011frulama s\u00fcreleri ve geri deneme say\u0131lar\u0131yla size ritmi f\u0131s\u0131ldar. Limit duvar\u0131na yakla\u015ft\u0131\u011f\u0131n\u0131z\u0131 \u00f6nceden hissetmek, \u00e7o\u011fu krizi ba\u015flamadan bitirir.<\/p>\n<h3><span id=\"Guvenlikte_makul_cizgiler\">G\u00fcvenlikte makul \u00e7izgiler<\/span><\/h3>\n<p>\u00d6zel anahtarlar\u0131n sakland\u0131\u011f\u0131 yer, eri\u015fim izinleri ve audit kay\u0131tlar\u0131 g\u00f6z ard\u0131 edilmemeli. \u00dcretim ve staging anahtarlar\u0131n\u0131 ayr\u0131 tutun, yedekleri \u015fifreli saklay\u0131n, kimin neye dokundu\u011funu basit\u00e7e kaydedin. Sertifikan\u0131n sadece bir dosya de\u011fil, <strong>giri\u015f anahtar\u0131<\/strong> oldu\u011funu ekip i\u00e7inde s\u0131k s\u0131k hat\u0131rlatmak faydal\u0131. K\u00fc\u00e7\u00fck ka\u00e7aklar b\u00fcy\u00fck kap\u0131lar\u0131 a\u00e7abilir; bu y\u00fczden kap\u0131 kolunu sa\u011flamla\u015ft\u0131r\u0131n.<\/p>\n<h2 id=\"section-9\"><span id=\"Kapanis_Sakin_Plan_Tatli_Otomasyon_Keyifli_Yenilemeler\">Kapan\u0131\u015f: Sakin Plan, Tatl\u0131 Otomasyon, Keyifli Yenilemeler<\/span><\/h2>\n<p>Toparlarsak: Let\u2019s Encrypt\u2019in rate limitleri; ba\u015fvuru say\u0131s\u0131n\u0131, tekrar denemeleri ve ayn\u0131 isim setleriyle kurulan sertifikalar\u0131 makul bir ritimde tutmak istiyor. Bizim i\u015fimiz, bu ritmi \u00f6\u011frenip ak\u0131\u015f\u0131m\u0131za yedirmek. <strong>SAN ve wildcard\u2019\u0131<\/strong> ak\u0131ll\u0131ca harmanlay\u0131p, alan adlar\u0131n\u0131 i\u015flevlerine g\u00f6re k\u00fcmelendirince y\u00fck\u00fcn\u00fcz hafifliyor. <strong>ACME challenge<\/strong> se\u00e7iminde HTTP-01\u2019in sadeli\u011fi ile DNS-01\u2019in esnekli\u011fi aras\u0131nda do\u011fru dengeyi kurdu\u011funuzda, karma\u015f\u0131k mimarilerde bile huzurla ilerliyorsunuz. \u00dcst\u00fcne <strong>staging provas\u0131, jitter\u2019l\u0131 yenileme ve sa\u011flam loglama<\/strong> eklenince, o \u00fcrk\u00fct\u00fcc\u00fc uyar\u0131lar bir anda s\u0131radan bir bilgi notuna d\u00f6n\u00fc\u015f\u00fcyor.<\/p>\n<p>Pratik bir tavsiye setiyle vedala\u015fal\u0131m: Sertifikalar\u0131 <strong>kademeli<\/strong> yenileyin, ba\u015far\u0131s\u0131zl\u0131klarda panik yerine k\u00f6k sebebe gidin, DNS kay\u0131tlar\u0131n\u0131 iki farkl\u0131 resolver ile kontrol edin, CDN\/WAF arkas\u0131nda challenge yollar\u0131n\u0131 \u00f6zel kural ile a\u00e7\u0131k tutun. Ve m\u00fcmk\u00fcnse bir ak\u015fam\u00fcst\u00fc sakin kafayla <a href=\"https:\/\/letsencrypt.org\/docs\/rate-limits\/\" rel=\"nofollow noopener\" target=\"_blank\">rate limit dok\u00fcman\u0131n\u0131<\/a> ve <a href=\"https:\/\/letsencrypt.org\/docs\/challenge-types\/\" rel=\"nofollow noopener\" target=\"_blank\">challenge t\u00fcrlerini<\/a> g\u00f6zden ge\u00e7irin; k\u00fc\u00e7\u00fck notlar b\u00fcy\u00fck s\u00fcrprizleri \u00f6nler. Umar\u0131m bu yolculuk, sizin de sertifika rutinini bir \u201carkada t\u0131k\u0131r t\u0131k\u0131r i\u015fleyen\u201d d\u00fczene d\u00f6n\u00fc\u015ft\u00fcr\u00fcr. Bir dahaki yaz\u0131da g\u00f6r\u00fc\u015fmek \u00fczere; sertifikalar\u0131n\u0131z hep ye\u015fil, log\u2019lar\u0131n\u0131z hep sakin kals\u0131n.<\/p>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>\u0130&ccedil;indekiler1 Giri\u015f: Bir Pazartesi Sabah\u0131, Bir Y\u0131\u011f\u0131n Domain ve K\u0131rm\u0131z\u0131 \u00c7izgiler2 Rate Limit Nedir, Sadece \u201c\u00c7ok \u0130stemek\u201d Mi Su\u00e7?2.1 Ger\u00e7ekte ne s\u0131n\u0131rlan\u0131yor?2.2 G\u00fcndelik hayattan bir benzetme3 SAN m\u0131 Wildcard m\u0131? Ne Zaman Hangisi \u0130\u015fe Yarar?3.1 SAN sertifikalar\u0131n tatl\u0131 yan\u01313.2 Wildcard\u2019\u0131n g\u00fcc\u00fc ve s\u0131n\u0131r\u01313.3 Hibrit d\u00fc\u015f\u00fcnmek \u00e7o\u011fu zaman daha iyi4 ACME Challenge\u2019lar\u0131 Sade Sade: HTTP-01, DNS-01 [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":1771,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-1770","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-teknoloji"],"_links":{"self":[{"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/posts\/1770","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/comments?post=1770"}],"version-history":[{"count":0,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/posts\/1770\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/media\/1771"}],"wp:attachment":[{"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/media?parent=1770"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/categories?post=1770"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/tags?post=1770"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}