ACME has roughly three steps:
1.) Register an account. This is effectively just associating a public key with an email address. If you would share the keypair of an account to all machines you wouldn’t need to create new accounts, but that’s not really needed as there’s no constraint on how many accounts with the same email address you create.
2.) Validate hostnames. This associates hostnames to an account for which its allowed to issue certificates. The same hostname can be associated to multiple accounts. Here the challenges are used, like creating a file on a webserver or hosting a HTTPS server that responds with self signed certificates for specific names.
3.) Request a certificate for one or more of the successfully validated hostnames. A certificate can be valid for up to 100 hostnames. The certificate is associated to the account in order to send reminder emails and such, but it doesn’t bind a domain or hostname to a specific account either, other accounts can still get a certificate for the same one given they successfully validated it. Renewal is technically the same as this, simply a new certificate is issued.
The 10 registrations per IP per 3 hours limit applies to the first step. Once you have an account keypair successfully submitted you don’t need to do it again. Only successful registrations count into the limit.
In the above I said hostname but really meant FQDN,
example.com are distinct in that point of view. However when it comes to understanding the 5 issuances per domain per 7 days limit, we first need to understand that
example.com have the same domain according to the public suffix list, namely
www.example.org has the domain
example.org. The limit prevents you from completing step 3 if there were already 5 certificates containing any hostname with any of the same domains in the current request issued within the last 7 days. Revocation of any of those previous certificates does not lower the count.
So picking up the last example, say you successfully requested 2 certificates for for
example.com, 2 for
example.com and 1 for
www.example.org, you can no longer request a cert for say
example.com exceeded its limit, but you can still request 4 certificates for
example.org, so for example