How do these large SaaS applications use letsencrypt to generate tens of thousands of certs?


#1

SaaS companies that use letsencrypt have tens of thousands to hundres of thousands of domains that they issue certificates for. How exactly do they generate these certs at such a scale?

I understand you can stagger your cert generation, is that basically what they do?
They have a dedicated service that creates/renews certs or is there something more complicated going on behind the scenes?


#2

Do they? Could you give an example?

Besides from that: if your client does not fail, there is no limit on certificate issuance.
IMHO most rate limits (https://letsencrypt.org/docs/rate-limits/) apply to misbehaving clients only.

The only exception is issuing certificates for many sub domains of a given domain name.


#3

#4

So would these large scale usages of lets-encrypt just be using the API like everyone else?

They just have built out more advanced service to generate/renew certs as they have thousands to do and not just 1 or 2.


#5

LetsEncrypt does not enforce the per-domain rate limits on domains in the Public Suffix list

This is a project maintained by Mozilla - https://publicsuffix.org/

Heroku has 2 domains on the PSL

Otherwise, the rate-limits by IP and account are rather generous. Many enterprise users also use dedicated accounts per cluster/node, to limit the effects of compromised systems.


#6

I’m not sure I follow you.

If for example on heroku I add my custom domain bluebikes.com, they will issue a lets-encrypt cert for bluebikes.com. What does the 2 PSL heroku domains herokuapp or herokussl have to do with this?


#7

Well, in that case, nothing. It wouldn’t likely have anything to do with any rate limits because that domain isn’t shared, and presumably you haven’t been issuing a bunch of certificates for it yourself. If you’re asking how Heroku can get a certificate for your name, either Heroku has the ability to update the DNS for your domain to add TXT records, or respond to HTTP requests over port 80 for the /.well-known/acme-challenge URL.


#8

A: What @jared.m said above.

The rate limits most people run into are the per-domain limits (20 certificates per domain per week). That limit does not apply to public suffix domains, which many providers use.

The other rate limits that apply to ‘unique domains’ are very generous, with some examples being:

  • New accounts/certs/auths are 20 requests per second (per IP, i believe)
  • 10 accounts per IP per 3 hours
  • 300 pending auths per account

Generating/maintaining tens of thousands of certificates within these numbers is not very hard to do, and doesn’t really require throttling/rate-limiting in many situations (unless you have 20+ concurrent workers). You can apply for a large provider exemption if needed, but that often isn’t necessary.


#9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.