Hi, I’m looking into adding optional dual RSA+ECC cert configuration support into Caddy, and want to be sure I’m clear on the implications of doing so. I also would like its implementation to be optimal for resource use.
Should I create a new authz for each cert type? Or does it matter, since authz’s are cached by LE?
I’ll create a new CSR obviously, but will obtaining both certificates with those CSRs run up against the 5 identical certs per week rate limit? (Cutting the effective rate limit in half would be a problem for many Caddy users…)
In other words, what is the preferred, optimal way of obtaining both an RSA and ECC cert from Let’s Encrypt? How should a client handle this, ideally?
Right now I believe that, no matter what, this will count against the rate limits. I believe there was a proposal to treat this similarly to renewals so that it doesn’t, but I don’t believe that’s been implemented yet. @jsha should be able to tell you about this.
With the way Let's Encrypt is currently handling this, you wouldn't be able to create two authorizations at the same time for the same hostname, using the same ACME account. If you attempt to create another authorization, boulder will silently return the first authorization with a status of "valid". You could save a couple of round-trips to the ACME server by just issuing two new-cert requests after doing the whole POST new-authz > POST challenge > GET authz dance instead of issuing the two certificates independently, but that's probably not all that important.
Yep, there's no special case for RSA/ECC or anything like that. An identical (duplicate) certificate is simply defined as one where the hostnames match exactly. The public key (or its type) doesn't matter - five certificates with different keys, all valid for www.example.com, example.com would still be considered duplicates. Another way to put it: You can mess up once, but if you lose your private keys again, you'll only be able to get one more certificate (i.e. just one key type). There'd still be the option to work around the duplicate certificate rate limit by adding another subdomain, though IIRC Caddy doesn't do SAN certificates, so that might not be a workaround you could suggest for users running into a problem with this.
The "Certificates per Registered Domain (20 per week)" limit would be affected by this just as much, though of course there's an exemption for renewals, so you'd at least not lose the ability to renew certificates, short of running into the identical/duplicate cert limits.
@schoen and @pfg have done a great job responding.
Yep, this will count as two certificates for the purpose of rate limiting. Are your users more worried about the "certificates per name" limit or the "duplicate certificate" limit? I would be surprised if the latter was an issue in a well-configured system. The former might be a slight issue because of the ordering dependency on the renewal exception, but only if they are issuing a lot of other certificates under the same registered domain. And if we fix the ordering dependency, that issue should go away too.
Thank you–all three of you–for the extremely helpful replies!
I will keep this information in mind if this dual cert feature gets implemented into Caddy and be sure to document the extra queries against the rate limit.