How is the 20 certificates per domain per week counted?


#1

According to the docs, there’s a limit of 20 certificates per domain per week.

The docs also state that “Also note: the order of renewals and new issuances matters. To get the maximum possible number of certificates, you must perform all new issuances before renewals during a given time window.”

From when to when does this window run? Is that monday through sunday, sunday through saturday? We’re using LE quite intensively over the past year and are currently at the point where we probably have around 200 hosts with a certificate. Given that certs are renewed once they go below 30-days validity, that gives on average roughly 28 domains that need to be renewed each week. That’s not a problem for renewals, but we regulary run agains the limit when registering a new host. So we scheduled the renewals to run on saturday thinking it was near the end of the week, but appearantly that doesn’t work since today is monday, and we’ve hit the limit already (we had 4 renewals on saturday, and 2 on sunday).


#2

Hi @tomcanbe,

It’s a rolling window, so what’s counted is issuances in the past 168 hours at any moment when you request the issuance of a new certificate.


#3

Well, that sucks… (at least for us). That makes planning for renewals nearly impossible, as renewing more than 20 certs per week (+/-180 certs over 60 days period) will result in hitting that limit no matter how careful you plan, preventing the issuance of new certs.


#4

@jsha, would you like to comment on how other sites have been scheduling their issuance and renewals?


#5

In the meantime, I also came across this Github issue regarding this problem. I took the liberty of adding a suggesting to look into switching to a fixed window.


#6

Thanks for the suggestion! Sounds like you’ve found the info you need, but tl;dr: we know this is currently a pain point, and we’re sorry. We will fix it when we are able to make time in our schedule. I appreciate the ongoing feedback from folks like you.

A stopgap solution might be to align your renewals so they all happen on the same day. Then one week out of every 60 day period would see you in a rate limit situation, but the rest of that period would be open for new issuance.


#7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.