Arbitrary (sub)^n-domains, rate limits, wildcards, and the public suffix list

Problem:
How to enrol for arbitrary subdomains on demand (e.g. a.b.c.example.com, d.e.f.other.com) without hitting rate limits.

State of the world:
Let’s Encrypt currently has a rate limit of 5 certificates per week per domain (certificates for subdomains are considered part of the domain for the purposes of this rate limit). There is also a limit of 100 names per certificate (I’m aware that this is a technical compromise because TLS certificates cannot be over a certain size or the TLS handshake will fail). Wildcard certificates are not supported by Let’s Encrypt.

Browsers do not currently support the standard for nested wildcard certificates (e.g. *.*.domain.com) and a *.domain.com certificate does not service a.b.domain.com.

The public suffix list has been used in the past to avoid L.E. rate limits. This is probably not appropriate in general because it subverts the main purpose of the public suffix list. In my case it also doesn’t work for reasons I will describe below.

Use case: TLS termination as a service
Cloudflare, AWS, and others have been offering TLS certificates and certificate management as a service for cloud hosted services. In order to provide a service like this for custom domains with arbitrary sub domains (and to allow creation of subdomains on demand - useful in the case of an organisation with many people wanting to manage their own subdomains), as soon as subsubdomains enter the mix certificates need to be enrolled on demand due to the existing limitation on client support for nested wildcard certs.

The two solutions to this problem that I can see are: (1) run a certificate authority; (2) find a sensible way to allow a higher rate limits for Let’s Encrypt (e.g. maintaining a L.E. fork of the public suffix list, a sponsorship arrangement to provide more resources for Let’s Encrypt, raising the limit on sub domains only).

I know what’s involved with (1) and honestly I’d prefer to not do that (props to the Let’s Encrypt team for dealing with that on behalf of the rest of us). (2) sounds like something worth brainstorming.

Please let me know if you can think of any other alternatives! :slight_smile:

There’s been talk about about a form to be used to manually exempt domains from the rate limit. It’s not available yet and there’s no ETA as far as I know, but that should cover at least some of the use-cases involving a large number of certificates per domain.

I don’t think wildcards are completely off the table either. If the IETF ACME Working Group decides to add a challenge type that covers wildcards, I imagine Let’s Encrypt will implement it somewhere down the road.

Large providers do already have special rate limits. There’s a applying process and requests will be evaluated on a non-regular basis. See https://mailarchive.ietf.org/arch/msg/acme/S8r5m9-Mh6gbE4vmzkF1CKVhFC4

Thanks kelunik! That sounds more like what I’m looking for.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.