Does let's encrypt has limitation on the number of certificates that can be issued for one server?


#1

Hi, We have a use case which needs to create hundreds of certificates for different merchant cname like shopify. Is there a maximum number of certificate that can be issued for a single server? If we need to renew the certificate automatically. Is it ok that we renew all the certificate at one shot everyday? Will let’s encrypt blacklist our server?

Any help would be appreciated! Thank you!


Mass-creating certificates for different domains
#2

There is no overall limit on the certificates per server, no. There are a number of rate limits - see https://letsencrypt.org/docs/rate-limits/

If that doesn’t answer your question, please provide a little more information about your use case.


#3

Thanks, it answers part of my question. But let’s say I have 500 hostnames. Is it ok that I try to renew it every day? Will let’s encrypt blacklist our server?


#4

If you have 500 completely independent host names, each certificate is valid for 90 days (for easier maths, I’ll say you renew a certificate after 50 days) so that’s 10 certificates per day that need renewal,so not an issue at all.

When you say “renew it every day” I assume you are only going to renew certificates that actually need renewal.


#5

I’m using this to renew everything: /opt/letsencrypt/letsencrypt-auto renew
Will this script auto detect which certificate needs to be updated? Is it ok that I run this script everyday as a corn job?


#6

Yes, that is fine to run every day. It checks the certificates and doesn’t contact Let’s Encrypt unless a certificate needs renewal (within 30 days of expiry by default).


#7

Thank you so much for your help!


#8

@AOHUA, it would be a good idea to read the document that @serverco mentioned carefully, because it describes all of the rate-limiting policies in detail. One thing to note is that renewing the exact same certificate when it’s going to expire is treated as a special case, and is treated more leniently for rate limit purposes than obtaining a certificate with any changes at all. So if you are literally just doing a renewal with letsencrypt-auto renew then you have different treatment for rate limit purposes from, say, trying to add a new domain name to your certificate.


#9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.