Certificates per Registered Domain rate limit

We have Webshop SaaS and customers can connect their domains to their shops. We use Let’s Encrypt to automatically generate certificates these domains.

We are working with our CDN partner, and one of their requirements on us is to minimize the number of distinct live certificates we use. For that reason we try to bundle as many domains as possible on the same certificates, up to the limit of 100 domains per certificate. This leads to some restrictions when choosing which certificate to add new domains to and regenerate.

We choose which certificate to add the new domain to and regenerate based on:

  • Certificate has room for more domains.
  • All registered domains in that certificate are within rate limits (problem area).
  • Prefer certificate that contain the same registered domain.
  • If we couldn’t find a certificate we will create a new one.

The problem occurs when the owner of a registered domain has used Let’s Encrypt to generate certificates for other subdomains not known to our system.

When we later try to add new domain to a certificate and regenerate it, our system thinks that all the registered domains currently on the certificate are well below the rate limit. But they are in fact not because one of the registered domains has generated certificates outside our system.

Is it possible to raise the Certificates per Registered Domain rate limit for our account? I was looking at the form for raising rate limits but the needs specified there does not really apply to us.

@jsha, could you please consider this question?

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

I wanted to update this thread since we recently announced a change that removes the constraint on order of renewals versus new issuance. The new behaviour grants the renewal exemption regardless of the order of operations and should be much easier to work with.

Thanks to everyone who provided feedback!

1 Like