Thanks to the new dns validation, I’m now able to provide a gateway for my internal users to request certs for machines inside our network that will still work for all normal clients without installing extra CA certificates on IT-locked-down systems/etc.
However, it looks like the rate limits will be a significant issue if I turn this over to my users since all of the requests will currently be coming from a single IP (corp external) and will all be subdomains of a single domain.
Are there any options other than telling my users “try again in N hours”? Normally this wouldn’t be an issue since they would be spread out, but on first availability, there would be a lot more requested than normal.