How to deal with rate limits for a bunch of internal servers behind a corporate IP?

Thanks to the new dns validation, I’m now able to provide a gateway for my internal users to request certs for machines inside our network that will still work for all normal clients without installing extra CA certificates on IT-locked-down systems/etc.

However, it looks like the rate limits will be a significant issue if I turn this over to my users since all of the requests will currently be coming from a single IP (corp external) and will all be subdomains of a single domain.

Are there any options other than telling my users “try again in N hours”? Normally this wouldn’t be an issue since they would be spread out, but on first availability, there would be a lot more requested than normal.

Let’s Encrypt is planning to introduce a rate-limit override form for domains that regularly exceed the rate limits. It’s unclear whether your use-case would qualify though, as they haven’t released any details yet.

The IP-based rate limits probably won’t be a problem, I’d imagine you’ll run into the 5 certificates per domain per 7 days limit much sooner. Maybe try a staggered rollout, with one user per day or something similar?

Ugh, yeah, I think you’re right - that 5 per 7 will be a killer.