Effective 29/06/17 the “Accounts per IP” rate limit is 10 new accounts per 3 hour period and a new “Accounts per IP Range” rate limit is enforced at 500 new accounts per 3 hour period per IPv6 /48.
Historically Let’s Encrypt has enforced the “Accounts per IP” rate limit[0] differently for IPv4 and IPv6 addresses. For IPv4, the rate limit was applied to individual IP addresses. For IPv6, since it is common for an individual person to have many IPv6 addresses at their disposal, we applied the rate limit against a /48.
This would occasionally cause issues for users when (for example) a cloud provider would provision IPv6 enabled instances belonging to different customers in the same /48. If one customer deployed a broken configuration that created many new accounts over and over, the other innocent customers would hit the accounts per IP limit. Very frustrating!
To improve on this situation we have split the Accounts per IP rate limit into two rate limits, allowing finer-grained control. The existing “Accounts per IP” limit is updated to treat IPv6 addresses individually like IPv4 and is now set at 10 new accounts per 3 hour period. A new “Accounts per IP Range” limit is now added that applies to IPv6 addresses within the same /48 and is set to 500 new accounts per 3 hour period per IPv6 /48. Presently this limit is the same for both the production and the staging environment but we will be increasing the value for the latter shortly and I will update this post accordingly. The staging environment has a higher limit of 50 new accounts per IP per 3 hour period to help client developers test (as of 10/07/17).
As always the rate limits documentation provides the most detail on this and all other Let’s Encrypt rate limits.
Thanks!
[0] Note: Historically “accounts” were called “registrations”. The current ACME draft uses “account” and this is the favoured term moving forward.