Certificate Rate Limits


#1

Hi!

We have multiple domains with a CNAME record pointing to our service. This service reads the SNI, and requests a certificate for the subdomain on the fly and verified (using https://godoc.org/golang.org/x/crypto/acme/autocert). These certificates are then stored in memory and served for futures requests. This is great for us because we don’t need to save the certificates in a shared store and makes it much harder for us to accidentally leak.

This works well, but we’re running into some issues scaling this approach. In particular, since our service is auto scaled, we could end up requesting more than 20 certificates for the same set of domains a week (which exceeds the limits as per https://letsencrypt.org/docs/rate-limits/) as the instances are shut down and booted up.

How flexible are the rate limits? Can they be increased upon request? Is there another strategy we could pursue that doesn’t involve us storing the certificates in a shared store?


#2

Hi @prateek,

In the “Overrides” section at

https://letsencrypt.org/docs/rate-limits/#overrides

there is a link to a form you can submit to request to increase the rate limit. It is possible that it will take some time to get a reply to your request, and it’s also possible that the answer will be no if you’re requesting it just for your own application and not in order to host a variety of sites for different people or entities under the same domain. In one case where an application wanted to autogenerate a very large number of subdomains on the fly, we ended up suggesting that they buy wildcard certificates from a different CA. But if you would like to have a conversation about this, submitting the rate limit form may be the best course of action.


#3

Oh perfect, this is indeed for a variety of domains (e.g. domain1.com and domain2.com that point our single service at service.com), so definitely would be interested in having a conversation about it.


#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.