It must be somewhere online but I couldn’t find it. What is the limit of certs an account can generate? We’re building something similar to Shopify so we’re going to have a lot of domains from our users and want to make sure what the rules are.
There’s no limit on the number of certificates per account. The only account-related limits are pending authorizations (300) and failed validations per hostname and hour (5). All other limits are based domains. The full list of rate limits can be found here.
Yes, I’m fairly certain it’s 7 days. Your authz objects have expires fields you can check to confirm this.
No, it’s up to the ACME client to keep track of both the number of pending authorizations and their URLs, which you’ll need to disable them or force validation if you run into the limit for some reason (i.e. a bug or an outage). There’s no endpoint that you can use to return all pending authorizations either.