SaaS companies that use letsencrypt have tens of thousands to hundres of thousands of domains that they issue certificates for. How exactly do they generate these certs at such a scale?
I understand you can stagger your cert generation, is that basically what they do?
They have a dedicated service that creates/renews certs or is there something more complicated going on behind the scenes?
Besides from that: if your client does not fail, there is no limit on certificate issuance.
IMHO most rate limits (Rate Limits - Let's Encrypt) apply to misbehaving clients only.
The only exception is issuing certificates for many sub domains of a given domain name.
Otherwise, the rate-limits by IP and account are rather generous. Many enterprise users also use dedicated accounts per cluster/node, to limit the effects of compromised systems.
If for example on heroku I add my custom domain bluebikes.com, they will issue a lets-encrypt cert for bluebikes.com. What does the 2 PSL heroku domains herokuapp or herokussl have to do with this?
Well, in that case, nothing. It wouldn’t likely have anything to do with any rate limits because that domain isn’t shared, and presumably you haven’t been issuing a bunch of certificates for it yourself. If you’re asking how Heroku can get a certificate for your name, either Heroku has the ability to update the DNS for your domain to add TXT records, or respond to HTTP requests over port 80 for the /.well-known/acme-challenge URL.
The rate limits most people run into are the per-domain limits (20 certificates per domain per week). That limit does not apply to public suffix domains, which many providers use.
The other rate limits that apply to ‘unique domains’ are very generous, with some examples being:
New accounts/certs/auths are 20 requests per second (per IP, i believe)
10 accounts per IP per 3 hours
300 pending auths per account
Generating/maintaining tens of thousands of certificates within these numbers is not very hard to do, and doesn’t really require throttling/rate-limiting in many situations (unless you have 20+ concurrent workers). You can apply for a large provider exemption if needed, but that often isn’t necessary.