All issuance requests are subject to a Failed Validation limit of 5 failures per account, per hostname, per hour. You should receive the following error message from your ACME client when you’ve exceeded the Failed Validation limit:
too many failed authorizations recently: see https://letsencrypt.org/docs/failed-validation-limit/
The ‘authorizations’ that this error refers to are the result of authorization requests, sent by your ACME client, to validate control over a domain name before we can issue or renew a certificate. This error indicates that the multiple requests for validation were sent successfully but all attempts to validate have failed.
Does "Failed Validation" mean that all validations have failed in a single certificate request?
For example, if multiple certificates are requested, does it count as "Failed Validation" if only the DCV validation of one certificate fails?
Also, does "per hostname" mean that all the following domains are considered to be the same?
A certificate request is a separate request than an authorization request. E.g., a certificate requires an authorization, but that could have been validated earlier and a certificate request could fail due to other reasons (e.g. CAA limitations). Thus you cannot compare a certification request with an authorization with regard to this rate limit.
But yes, if one certification request fails due to a failed authorization, then that failed authorization would count for the failed authorization rate limit, regardless of the status of the other certificates.
No, those have the same domain, but are distinct hostnames.
If aaa.mixh.jp fails too often, it should be possible to request an authorization for the other hostnames.
Am I right in thinking that rate limiting is done on authorization requests rather than certificate requests?
In other words, does this mean that the DCV count will be limited if the rate limit is hit?
For example, if a single certification request contains the following set of domains, and only one of the hostnames (aaa.mixh.jp) fails DCV, does the failure count increase?
-Set of domains
aaa.mixh.jp
bbb.mixh.jp
ccc.mixh.jp
ddd.mixh.jp
eee.mixh.jp
Correct with regard to the "failed authorizations" rate limit. Certificate requests ("orders") have their own rate limit. See the "New Orders" rate limit at Rate Limits - Let's Encrypt.
Yes, but only for the failed hostname, not the other hostnames.
Thanks for the clear answers.
I have an additional question.
All issuance requests are subject to a Failed Validation limit of 5 failures per account, per hostname, per hour.
Please let me know the reference to 'per account' in the above statement.
Does this refer to the number of failed account authorisation attempts on an account in one Let's Encrypt account?
Or is it the cumulative number of all DCV errors requested on one Let's Encrypt account?
No, because the rule is "5 failures per account, per hostname, per hour".
This is 5 failures on that account, but only 1 failure on each hostname.
The purpose of this limit is not to penalize you for having a very large number of web sites and being unlucky with random failures! It's mainly in place to prevent people from retrying the same request when it fails repeatedly.
The most commonly-encountered Let's Encrypt rate limits both tend toward this general goal: If you get a failure, please investigate why that failure happened and try to fix it before trying that same thing again, instead of making the same kind of request many times in a row.