About increasing Rate Limits

we have more than 150000 domains available. We are a big company and we want to give our customers free SSL for mail. But there are limits. I'd like to ask you a few questions about it.
Is it possible to increase these limits?
Is it possible to increase the certificate renewal period?
Is there a solution that we can use for this paid/free?

  1. Yes; There are a couple of ways.
    Perhaps you could provide more detail on:
  1. No.

  2. All LE certs are free.

2 Likes

Thanks rg305,

We consider a structure with an example as follows:
1- we will configure 10 haproxy or nginx servers for 150000 customers. 15000 SSL per server.
2- 10 servers will renew their SSL certificates every 3 months. Renewals will be made within 1 day. It can be any day of the month for our newly arrived customers.
Since they are our existing customers, it is not possible to give the renewal date to any day of the month.
I am also open to your suggestions.

2 Likes

Will the customers bring their own domain names?
Or will they be assigned subdomain names from your company domain?

2 Likes

Each client will bring his own domain name. As an example: mail.domain.com
So more than 150000 mail.domain.com he's coming.

I don't see any problem with the limits per the given parameters [others might see something I've missed].

Will each of the ten HAProxies have certs for all names or only the names handled by that single proxy?

2 Likes

I'm giving an example. a certificate will be created for 15000 domains within 1 proxy server day, and after 3 months these certificates will be renewed.
Rate Limits - Let's Encrypt / on this page you can create "Up to 10 Accounts per IP Address in 3 hours. " there is the phrase. So it seems impossible for me to create an account for 15000 domains in 1 day. Therefore, how can you help with this? Or how can we find a solution?

This is a sample template, I created it to tell you in detail.
We will divide our 150000 customers into 10 servers. We will allocate 15000 domains per server. We will create certificates for each domain name on each server. In other words, this means that 15000 new domain certificates will be issued via a server and will be renewed after 90 days. Of course, new customers will be added to these servers later.
First month:
proxy1 -> 15000 domain certificate will be created.(Single ip, single server)
proxy2 -> 15000 domain certificate will be created.(Single ip, single server)
proxy3 -> 15000 domain certificate will be created.(Single ip, single server)
proxy4 -> 15000 domain certificate will be created.(Single ip, single server)
proxy5 -> 15000 domain certificate will be created. Single ip, single server)
proxy6 -> 15000 domain certificate will be created.(Single ip, single server)
proxy7 -> 15000 domain certificate will be created.(Single ip, single server)
proxy8 -> 15000 domain certificate will be created.(Single ip, single server)
proxy9 -> 15000 domain certificate will be created.(Single ip, single server)
proxy10 -> 15000 domain certificate will be created.(Single ip, single server)

after 90 days:
proxy1 -> 15000 domain certificate will be renewed.(Single ip, single server)
proxy2 -> 15000 domain certificate will be renewed.(Single ip, single server)
proxy3 -> 15000 domain certificate will be renewed.(Single ip, single server)
proxy4 -> 15000 domain certificate will be renewed.(Single ip, single server)
proxy5 -> 15000 domain certificate will be renewed.(Single ip, single server)
proxy6 -> 15000 domain certificate will be renewed.(Single ip, single server)
proxy7 -> 15000 domain certificate will be renewed.(Single ip, single server)
proxy8 -> 15000 domain certificate will be renewed. (Single ip, single server)
proxy9 -> 15000 domain certificate will be renewed.(Single ip, single server)
proxy10 -> 15000 domain certificate will be renewed.(Single ip, single server)

How do you see these conflicting? A single account can have any number of IP addresses.

3 Likes

Hi danb35,
I understood this article as follows: "You can create or update only 10 domains from an ip address within 3 hours."
Did I misunderstand? Would you correct me if I got it wrong?

Yes, very badly. An account is neither a certificate nor a domain; it's an ACME account which "owns" any certificates it requests. A single account can request any number of certs for any number of domains, subject to the other rate limits.

2 Likes

I thank you for your answer. Will I have a problem when I install certbot on a centos server and send requests for 15000 domains at the same time? Or will I be stuck with a limit when renewing certificates?

The Let's Encrypt documentation might help you. Please reference the integration guide Integration Guide - Let's Encrypt and please try to use the staging environment while you build and test your system Staging Environment - Let's Encrypt

4 Likes

IMHO, you're generally headed down the right path with your ideas, but they won't work as-is -- both due to rate limits and also the limits of application and infrastructure.

First, while it's nice to offer a SSL cert for each domain to handle mail services, most (all?) Email Service Partners (ESPs) I know tell their customers point to a domain the ESP owns. e.g. all customers would specify mail.hck28.com in their mx records, and IMAP/SMTP would be imap.hck28.com and smtp.hck28.com.

Getting beyond that and the various account/ip rate limits, the more relevant issue is the max of 100 FQDNs per certificate. If you are just hosting mail. subdomains, you could put 100 of those on each certificate, but generally you should not - when it comes time to renew, if any of those domains are no longer pointing to your systems, the entire certificate renewal will fail. Implementing this strategy typically creates a cascading waterfall effect that breaks the entire installation - not only are those certificates expiring, but every iteration of failed renewals will typically create "pending authorizations" that are not cleaned up properly -- and will eventually trigger the pending authorizations rate limit. Complications can also be caused by trying to renew massive certificates at the same time - you can trigger one of the various high traffic rate limits, and just have failures cascade into wedging your account.

So there are some recommended practices here:

  • only put a single registered domain per certificate. eg mail.example.com is the only domain on that certificate.
  • ensure your ACME client is cleaning up pending authorizations and logging properly, for the situations where it crashes and has not cleaned up. Digging through ACME logs to find and disable pending authorizations is not fun.
  • implement a scattered renewal time. You should not be renewing 150000 certs on the first of the month. they should be onboarded in batches over several days or weeks, and renewed throughout the 60-90day window
  • this sort of stuff is really relevant for web hosting services. mail hosting services should not require the customer's domain.

Again, I would NOT use customer domains in this situation. However if you need to, I suggest looking at the OpenResty fork of nginx. The OpenResty project added several scriptable internal hooks to nginx, one of which is dynamic SSL certificate loading during the SNI handshake. With something like that enabled, you can store your certificates in a central internal system, and then load them into Nginx on demand. We opensourced our internal tool that does that : GitHub - aptise/peter_sslers: or how i stopped worrying and learned to love the ssl certificate

4 Likes

I don't particularly like to give advice, but since it has been brought up:

I have to second this very relevant observation.
I can see customers wanting to use https://webmail.their-domain.tld/
But no one notices MX record names.
All customers' MX records can be using your domains' MX record IPs (or CNAMEd to them).
[Google/Gmail does this for millions of domains]

3 Likes

I agree with the MX RRs. Other thing about that is that some (many?) mailservers don't have SNI support. So a single mailserver might only be able to serve a single certificate for that single hostname. You need to be sure that your mailserver has SNI support or can serve multiple certificates based on e.g. destination IP address (and have separate [virtual] IP addresses for every mailserver hostname..)

Personally I would go with a single hostname for all MX resource records for that single mailserver.

4 Likes

I would like to thank you very much for your detailed information. I will do a study for MX and other dns records in the next process. The important jul for me right now is the SSL provisioning process. Our plan A is for mail domains mail.customerdomainname.com define the ssl certificate as. Our plan B is mail.mycompany.com ensure work through.

According to what you have communicated to me, I am thinking of making a work plan as follows.
I will install an ACME server such as 30 Certbots or peter_sslers. This makes me an average of 500 ssl certificates per server.
I need to get a separate certificate for each domain name.

That's why I want to find out the limitations first. My English is a little weak, so I'm working hard to understand what they're writing :blush:
1 ACME ip/server: How many domain name certificates can I get per hour and per day?
1 ACME ip/server: How many domain certificate renewal requests can I make per hour and per day?

Also, does the letsencrypt community have a solution to make our jobs easier for companies? As a company, we can meet the required procedures.

I don't know if you knew this already, but a lot of documentation pages have been translated. The rate limit page seems to be available in 17 different languages.

5 Likes

Unfortunately, they do not have Turkish language :frowning:

3 Likes

The most likely limit you might be concerned with is:
You can create a maximum of 300 New Orders per account per 3 hours.
[that averages to 100/hr and 2400/day (per ACME account)]
So, you should ensure that all your ACME clients are using unique accounts.

There are no limits imposed on normal renewals.
[If your client does something wrong, like forcing certs to renew daily, that would trigger imposed limits of 5 duplicates per week]

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.