500 on subdomains - Provider

Hello,
I use built-in script with DirectAdmin Control Panel to issue new certificates for hostname of virtual machines.

Hostname looks like this:
vpsXXXXX.company.com

We wanted to prepare 100 private servers, and we came across a huge problem: limits (too many certs issued on .company.com.

I browsed through documentation, but couldn’t dig much. Any ideas how can we bypass the limit?

There are two ways, really. First, you could combine these onto a single certificate. You can put up to 100 domains on a certificate, and issue up to 20 per week, so that’s 2000 domains per week. Second you can apply for a rate limit increase. This takes several weeks to process, and is not guaranteed to be granted. I strongly recommend looking into the first option.

Hi @SomeGuy,

The Let’s Encrypt rate limits are documented at

https://letsencrypt.org/docs/rate-limits/

If the servers are all for your organization’s own use, you’re unlikely to be granted an exemption from the rate limits. If they are somehow operated by or on behalf of other entities, you could fill out a rate limit exemption request form (which is linked from within that page). For example, hosting providers that issue subdomains to individual customers are eligible for this kind of exemption.

One thing that’s important to be aware of is that a single certificate can cover many different names (as subject alternative names, or SANs). The certificate is valid for all of the names that it covers. By Let’s Encrypt policy, an individual certificate may cover up to 100 different names. These names can be, but don’t have to be, subdomains of a particular domain. They can also be, or include, separate or unrelated domain names.

By using this method, the rate limit that you’ve encountered will still permit the issuance of up to 20 certificates covering up to 2000 different domain names per week. If you issue new certificates before performing renewals, you can add up to 2000 new domain names per week while also renewing old ones, and there is no upper limit on the total number of domain names that can be covered.

Clearly, a disadvantage of this method is that the 100 servers that are covered by a single certificate have to share that certificate, and also have to share the associated private key. That means that these servers affect one another’s security in the sense that one of them can impersonate another, and that a successful attack against one of the servers can also harm the cryptographic security of communications destined for another one. Some organizations are more concerned about this trade-off than others. The cryptography security level would be higher if each and every server had its own individual, separate private key and certificate.

On the other hand, each new certificate that’s issued by Let’s Encrypt consumes resources on the server side, primarily the time used on the hardware security module (HSM) to sign the certificate itself and to sign ongoing associated OCSP responses confirming that the certificate is still valid.

1 Like

It's worth expanding on this a bit for your use case, @SomeGuy. Even if you wanted to use an individual certificate for each domain, since renewals count against but are not restricted by the rate limits, you could take the time to issue 20 per week, and then once they're all issued, you could renew them all without hitting this rate limit. With your 100 private servers, it would take 5 weeks to issue these (actually 4 weeks and 1 day if you issue optimally), which is faster than a rate limit approval would come through even if it were to be accepted.

VPS Cloud Hosting and I can’t share keys, so I guess I will just fill up the form. Each VPS has it’s own domain, used for pureftpd, mail server and nginx ssl. Domain=Hostname. Thanks for reply, I get it know, too bad it takes so long (sever weeks you mentioned) to wait if they accept the higher limits.

You could also consider applying for listing with the Public Suffix List if you think it’s appropriate although they appreciate knowing about reasons for the listing other than the Let’s Encrypt rate limit exemption and have sometimes been frustrated about the high volume of LE-related addition requests. There is an existing rate limit exemption policy for domains listed on the PSL which has a delay of its own but doesn’t require LE to make an individualized policy decision.

https://publicsuffix.org/

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.