I googled and reviewed all info on the letsencrypt’s site, and still can’t get a clear answer about certificate creation / renewal limits. Please try me to understand. Here is my use-case:
My company, let’s name it “xxx”, is a SaaS product which is provides kind of VPN services to its customers. Without going into much details, we are:
Create for each customer a dedicated DNS record with a dedicated subdomain (e.g. a.xxx.com, b.xxx.com, c.xxx.com)
Since TLS termination performed by a customer, we supposed to provide our customers a certificate, which they supposed to install on their side. Since each customer not allowed to see traffic of another, we have to generate a dedicated certificate per subdomain (we can’t use SAN certificates).
The process of DNS record creation and certificate generation supposed to be fully automatic, without any human intervention.
Now, as I understand, you are limiting to 50 certificates generations per week. Since each subdomain must receive its own dedicated certificate, is that means I limited to max 50 new customers per week?
What about renewals? How they are counted? Assuming I using all “50 per week” limit for generating new certificates - is that means I will be not able to renew any of existing certificates?
Is there a way to make some commercial agreement to remove \ extend these limits? We talking about potential need of generating and renewing dozens of certificates per day.
My understanding is that renewals are always allowed.
But they do count towards the 50 per that week.
So assuming your clients renew at the 60 day mark, then that's about 9 weeks after issuance.
So you still have about 9 * 50 certs issued before they start competing for new certs.
If you need more than 450 certs active at any one time (for that same base domain), then you will have to request a rate limit increase.
[OR you could use multiple base domains each covering 450 certs (more or less).]
After re-reading the rate limits (https://letsencrypt.org/docs/rate-limits/)
I find this paragraph to be… “unclear”.
And I can see how this may need some clarification:
“Note that the Renewal Exemption also means you can gradually increase the number of certificates available to your subdomains. You can issue 50 certificates in week 1, 50 more certificates in week 2, and so on, while not interfering with renewals of existing certificates.”
That said, if you only issue 50 new certs every week, can you do this (+50/week) indefinitely?
Is there an actual absolute maximum limit per domain?
I personally think it would hit a “wall” somewhere around 90/7*50 (more or less)
But I did NOT code any part of this; So that limit and estimate is just my “wild” guess…
If that is the case, then we only need one domain per 50 new certs (per week).
So (as an example), if anyone adds no more than 300 new certs per week (all year long), they can do so by using just 6 different domains (6 * 50 = 300).
[without requiring a rate limit exception/increase]
Yep! The information you are looking for is the renewal exemption:
To make sure you can always renew your certificates when you need to, we have a Renewal Exemption to the Certificates per Registered Domain limit. Even if you’ve hit the limit for the week, you can still issue new certificates that count as renewals. An issuance request counts as a renewal if it contains the exact same set of hostnames as a previously issued certificate. This is the same definition used for the Duplicate Certificate limit described above. Renewals are still subject to the Duplicate Certificate limit. Also note: the order of renewals and new issuances matters. To get the maximum possible number of certificates, you must perform all new issuances before renewals during a given time window.
So just be sure you are performing new issuances (which the default rate limit of certificates per registered domain per week is 50, on a sliding window) and you should have no trouble with your renewing certificates after that.
I hope that helps! I often find myself referring back to this doc as well that @rg305 already posted (thank you!) : Rate Limits - Let's Encrypt