I work for a domain name registrar and we want to secure about 1 million domains using LetsEncrypt. Is this an acceptable use of LetsEncrypt?
Most of the domains are parked, or have for sale landing pages on them. But it would be nice if we could secure them. And about 100,000 have websites using our in-house site builder we would like to secure.
We applied for a rate limit increase using the rate limit form about 2 weeks ago. We have not heard back, though it does say it takes a few weeks to process.
My question is should we take any other action, or just wait. Thank you.
If you use one account to create all these certificates, then you need an increase. If you create one account per domain (or per 200 domains), you don't need a rate limit increase.
Most rate limits are domain based: Max. 50 certificates / domain / week, max. 5 identical / week.
Check
You can create a maximum of 10 Accounts per IP Address per 3 hours. You can create a maximum of 500 Accounts per IP Range within an IPv6 /48 per 3 hours. Hitting either account rate limit is very rare, and we recommend that large integrators prefer a design using one account for many customers.
and
For users of the ACME v2 API you can create a maximum of 300 New Orders per account per 3 hours.
Hi! We don’t have an official policy on domain parking, but here are my thoughts: Our main goal is to protect as much browsing activity as possible for as many users as possible. We really care about making the “Percentage of Page Loads over HTTPS” numbers at https://letsencrypt.org/stats/ go up, and also extending the protections of HTTPS to sites that wouldn’t otherwise be able to get it, at very low cost.
Parked domains have very few users in general, so they are a less efficient use of Let’s Encrypt resources, and the resources of CT Log operators, than active websites are.
I think it makes a lot of sense to use Let’s Encrypt to get certificates for your domains that have active websites on them via your website builder. I think, for now, it would be better to not issue certificates to parked domains until they are purchased or have a real website deployed on them.
Thank you for your detailed response. I checked with our engineers and we are using one account, as suggested for large integrators.
Here are some numbers on our business:
We register about 5000 new domains per day.
We have about 1.5 million existing domains whose certs would have to be renewed every 3 months. That is about 16000 ssl certs a day.
So we would need a quota of about 5000 + 16000 = 21000 ssl certs a day, or about 900/hour. That said an even large quota would be appreciated, so we can hurry up and get those 1.5 millions domains secured immediately, instead of over a 90 day period.
Hello, just wondering if we are going to get a rate limit increase? We submitted the google form about a month ago. Let me know if I need to do anything else to move the process forward.
Parking is one way for registrants to see that their domain is expired. We do send out many expiration emails to the registrant. But sometimes their email is not working, or they don’t check their emails. When they see (or their users see) that their domain is parked, they will know they have to renew their domain.
Parking is pretty industry standard I believe. I can’t think of a registrar that doesn’t park the domain when it expires.
Would love to add LetsEncrypt to our domains. Imagine a million domain names secured from registration all the way to expiration. Just need a rate limit increase.
