We have multiple domains with a CNAME record pointing to our service. This service reads the SNI, and requests a certificate for the subdomain on the fly and verified (using https://godoc.org/golang.org/x/crypto/acme/autocert). These certificates are then stored in memory and served for futures requests. This is great for us because we don’t need to save the certificates in a shared store and makes it much harder for us to accidentally leak.
This works well, but we’re running into some issues scaling this approach. In particular, since our service is auto scaled, we could end up requesting more than 20 certificates for the same set of domains a week (which exceeds the limits as per https://letsencrypt.org/docs/rate-limits/) as the instances are shut down and booted up.
How flexible are the rate limits? Can they be increased upon request? Is there another strategy we could pursue that doesn’t involve us storing the certificates in a shared store?