To ease automation in an Azure Service Fabric Cluster running Traefik, we would like to have each node in a cluster simply acquire its own certificate instead of sharing a certificate. This can very easily lead to problems with the Lets Encrypt rate-limit for larger clusters (which is fair enough). I was wondering if there are any options for a paid account with a higher rate limit? Or alternatively, if any commercial providers are available supporting the ACME protocol?
There’s at least one commercial provider out there supporting ACME v1, but I don’t remember their name off the top of my head.
In any case, you can have a higher rate limit (for free) with Let’s Encrypt if you have a legitimate need. Information about rate limit exemptions can be found on https://letsencrypt.org/docs/rate-limits/ as well as the link to the form to apply for a rate limit increase.
Thanks for the reply. I haven’t had much luck googling for other providers of ACME, so if you happen to remember the providers name, please let me know. We might indeed try the form, but it really does not matter to us whether it is free or not (just needs to be reliable), we just want to be able to use ACME to avoid having to manually deal with renewals.
I took a look through my PMs and it looks like https://www.buypass.com/ssl/acme is what I was remembering - they seem to be free, though.
Thanks, i will check out what rate-limiting they have. Curious that no one wants money for this type of service You can either get automated certificates for free, or pay a lot of money to deal with the manual hassle
Sounds like they have similar rate-limits:
“We also have a Duplicate Certificate limit of 5 certificates per week”
But since they also sell commercial certificates, perhaps they are open to accept money for increased rate-limits…
You could always take the Cloudflare approach of mixing your CAs, so you’re not reliant completely on either Let’s Encrypt or BuyPass. Could also have the added benefit of doubling your effective rate limits - just randomly assign the ACME directory at issuance/renewal time.
Really though, I imagine that a rate limit increase from Let’s Encrypt is what most large integrators have done. As the largest and least commercially-motivated player (by a significant margin) they’re the least likely to let you down!
In addition to BuyPass I believe Globalsign has some form of ACME support: https://www.globalsign.com/en/auto-enrollment-gateway/
I don’t believe it is compatible with the current drafts (what we call ACME v2) but I’m not certain.
Thanks for the tip. Meanwhile however, we found out that ACME was definitely not designed to be used in this manner, since multiple VMs will attempt to obtain a certificate for the same domain at the same time. If we use DNS-01 the different VMs will override the TXT record with different content (since the TXT record key does not depend on the id of the specific request), and if we use HTTP we run into the obvious problem that we have the Azure load balancer in front of this cluster, and therefore the challenge request is unlikely to go to the node that issued the request.
The devs working with Traefik and Service Fabric are aware of the issue, but for now it looks like we will have to use an external script to obtain a shared certificate and push that to the cluster nodes:
This is the approach I would recommend for this situation as well. The certificate is shared state and rather than duplicating it on-demand it would be better to provide a way to distribute this state to the nodes that require it ahead of any expirations.
I can definitely understand that it makes sense to centralize the certificate, but it does require a significant amount of work to get it working (as opposed to simply having each individual node handling it on its own).
TXT records is fine. You just have to make sure your DNS software can add and remove records without wiping out the entire record set. Most ACME DNS clients should be okay – it was important to fix that when rolling out wildcard support.
This might be a limitation of Traefik (or its Azure DNS integration) then (as it looks like its overwriting instead of adding).
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.