Since the rate-limit window is quite long (one week) it would be helpful to have an API to see what our burn-through rate is for the domain. We could then use this information in scaling and throttling functions so that we don’t run out of capacity.
The current solution of reverse engineering it based on CT logs is an unhappy one, it’s inaccurate and the companies that can afford to run log aggregators don’t do it in an accessible way (credit to Comodo for being the noble exception).
I’d love it if Let’s Encrypt could just start sending a
retry-after header along with the acme:error:rateLimited error, but probably the team want to avoid non-standard extensions and it’d need to be added to the acme draft.
Just as a side note, crt.sh have now fixed their scaling problems and the backlog is steadily decreasing at a rate of 10 mil entries/day, so it should be cleared within a couple of weeks. Once that’s done, https://tools.letsdebug.net/cert-search should accurately report rate limits.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.