I've read through Rate Limits - Let's Encrypt, which suggests that I should be able safely renew any existing certs. However, I suspected that the docs (as they often seem to) assumes that you have a persistent/non-volatile directory set via --work-dir
/--config-dir
. However, I wish to automate Let's Encrypt from ephemeral environments (such as AWS Lambda), where --work-dir
/--config-dir
will point at a temporary, short-lived directory, and I won't be persisting those directories in any way. The question now is, how should the docs on rate limits (and by extension, accounts) be interpreted?
(The core of my uncertainty is emboldened below, though the other questions should help provide some context and insight into my thought process here.)
Starting with this section:
You can create a maximum of 10 Accounts per IP Address per 3 hours. You can create a maximum of 500 Accounts per IP Range within an IPv6 /48 per 3 hours.
So first order of business is to determine if a non-persistent config dir leads to duplicate account creation. Being fairly new to Let's Encrypt, I first had to read up on what constitutes an account (Finding Account IDs - Let's Encrypt):
If youāre using Certbot, you can find your account ID by looking at the āuriā field in /etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/*/regr.json.
A simple test would (seemingly) be to run certbot
, then rm -rf
the config dir, and then run certbot
again and check if I get different uri
s in the **/regr.json
file. Sure enough, I arrive at two different uri
s. Am I correct in my understanding that this will quickly lead to me hitting this particular rate limit (I'd test it myself, but I'd rather avoid putting unnecessary stress on the Let's Encrypt servers)? If yes, is there any way to avoid this without copying the entire work dir around (perhaps some docs on persisting just this bit, if necessary)?
The next concern I had was about renewals: if the config dir isn't persisted, and I use certbot --keep-until-expiring [...]
, will the following hold:
- Will
certbot
be able to infer (say, from inspecting the target domain's current TLS certificate -- as reported by the server, as opposed to checking on-disk -- and perhaps any info stored in Let's Encrypt's servers) that my certificate is (or is not) about to expire, and (perhaps) additionally check that the cert was issued by Let's Encrypt, and thus avoid issuing another certificate? Empirically, this does not seem to be the case (I am issued a second cert). - If another certificate is issued, does that then count as a duplicate, or a renewal? I suspect the former, but I'm not entirely sure.
I can understand #1, as it would be tricky to define the "correct" semantics for such inference such that everyone would be pleased, e.g. if the server is configured with a cert from a different CA and that cert is far from expiration, is the "right" thing to do:
- Wait for the current cert to expire, or
- Authorize and install a new cert from Let's Encrypt immediately
I'm sure many people would want to migrate immediately, while others might want to hold off (for whatever reason), so inspecting some non-ephemeral config directory makes a bunch of sense as a sane way to handle renewal. However, I'd recommend clarifying the language in the docs so that they describe how things work in an ephemeral environment (admittedly, that's more of a certbot
thing than a general Let's Encrypt thing; regardless, that info should be easily discoverable somewhere). For my own purposes, this can be easily worked around by doing my own check on the expiry of the cert before invoking certbot
.
I should probably note that I've currently tested with the certbot-s3front plugin; given my reasoning, I doubt that should impact the observed behavior in such a way that it deviates from the core semantics, but I could be wrong: if any of my empirical observations sound off, please let me know.
In conclusion, I'd like to set up a recurring AWS Lambda function to keep my certs up to date, but I'm not convinced that I can do that in such a way that I won't likely run up against rate limits that are uniquely imposed upon such ephemeral environments.