Creating 1500 certificates


#1

Hi,
I have a server running 1500 sites (each one with a different domain)
I want to use let’s encrypt to create certificates for them.

First question… Is there any limitation for creating 1500 certificates ?
Second question… In the FAQ section I saw that “In some cases, integrators (e.g. hosting providers) will charge a nominal fee that reflects the administrative and management costs they incur to provide Let’s Encrypt certificates.”
How can I know how much is the nominal fee ?

Thanks,
Yaniv


#2

Hi @yanivpeleg,

In this case, you are the integrator. That means that if you want, you can charge your users a fee for providing the certificate (if you have users). It doesn’t mean that Let’s Encrypt will charge you a fee.


#3

No, if they are all for different domains, there is no such restriction. Please see


#4

As @schoen says, you’re the integrator, and thus you’re the one who may (but certainly are not required to) charge a fee. And there’s no limitation on the amount, so you may charge your customers as much as you think they’ll pay. But if you charge them any significant amount, and they ask here, we’ll likely suggest they use a less user-hostile host.


#5

Hi @schoen

I have additional questions about this.

Within a short time (ex: within one hour)
Can one server create certificates for 1500 different domains?
(One ip is used.)


#6

Assuming you mean 1500 certificates, you would not be able to do this:

For users of the ACME v2 API you can create a maximum of 300 New Orders per account per 3 hours.

You’ll need to spread it out over at least 15 hours = (1500 / 300) * 3.

(That is, unless you get a rate limit exemption for your ACME account. Getting an exemption may be a good idea in your case).


#7

@_az
Thank you for answer.


#8

If you’re willing to include multiple domains in a single certificate, you can potentially cover up to 200 domains per certificate and 300 certificates per hour = 60000 domains covered per hour (per account). However, there may be many reasons not to include 200 different domains in a single certificate, such as renewal problems if even one of those domains is no longer under your control (or simply experiences a technical problem) when you need to renew.


#9

If you use the ACME v1 API, though, there’s no such restriction. You’d just be limited by:

The “new-reg”, “new-authz” and “new-cert” endpoints have an Overall Requests limit of 20 per second. The “/directory” endpoint and the “/acme” directory & subdirectories have an Overall Requests limit of 40 requests per second.

While the v1 API won’t exist forever, and I wouldn’t encourage building new services on top of it, if your software supports it and you’re not using wildcards, you might as well take advantage of it.


#10

If we use the ACME v1 API,
Are there no such restrictions?

  • You can create a maximum of 10 Accounts per IP Address per 3 hours. You can create a maximum of 500 Accounts per IP Range within an IPv6 /48 per 3 hours.

#11

Which restrictions? The “New Orders” rate limit is only for ACME v2. The “Accounts” rate limits apply to both.


#12

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.