ARI Rate limits

We manage several thousand certificates and have our own client. We're considering adopting ARI but it's unclear what the rate limits are for that endpoint. The rate limits page says:

The “new-nonce”, “new-account”, “new-order”, and “revoke-cert” endpoints on the API have an Overall Requests limit of 20 per second. The “/directory” endpoint and the “/acme” directory & subdirectories have an Overall Requests limit of 40 requests per second.

But doesn't define what the limit is for renewal info. Should we assume it's 20 per second? Our client handles backing off when the rate limit is hit but I'd like to understand ahead of time how long it might take to get the info for 10k certificates.

Thanks!

4 Likes

Seems like a safe assumption, the request per second rate limiting is likely done at a higher traffic management level than at the API itself.

Personally I'd say 20 requests per second still seems like quite a high rate. For 10k certificates checked 4 times per day I think you'd be 55 checks per hour, assuming checks are in small batches.

3 Likes

AFAIK there is (in addition to the base limit?) a load-aware rate limit on the load balancers so the real request/second rate you will get will vary depending on serverside conditions. So I wouldn't assume a 100% fixed rate and instead vary with backoffs when a 429/500/503 or similar is hit.

To ballkbark numbers, I would go with the 40 rps, but your actual mileage may be both higher and lower depending on conditions.

5 Likes

All of the above is correct. We do not (at this time) have specific rate limits for checking ARI. We do have API-wide per-IP rate limits that are enforced by the networking stack well before the requests ever reach the Boulder ACME server software, and those are enforced for ARI requests alongside all other requests.

9 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.