Increasing rate limit


#1

Hello,
i faced with Error creating new cert :: too many certificates already issued
Can rate limit be increased?
How can i avoid this issue with rate limit? I need about 200+ production ssl certs.


#2

Is there any rate limit in staging env api?


#3

You can find information about applying for a rate limit exclusion there. However it may take many weeks or months for this to be accepted.

Staging has higher rate limits.

There’s a limit of 20 certificates per registered domain per week.

There is also a 5 duplicate certificate limit per week. This one is almost always occurs due to user error.

You will probably be running into one of the above.

You should elaborate on why you need so many certificates and whether they are across a single registered domain, or many.


#4

Thanks for info.

I read it before in manual.
I can use SAN certs, but it will be not enough.
Did the letsencrypt has a subscription for unlimeted number of certs?


#5

Hi @No1zzz,

Can you describe the purpose for which you’re using these certificates?


#6

Https for api in monitoring tool, client compares server name and certificate.


#7

Could you please give us a little more to work with here?

Are these all under the same domain? Who is running the servers? Why do the host names all have to be different? About how many different host names will there be?


#8

Sure,
Same domain.
Our company running this server’s.
They should be different - how they can be same? 200+ servers with the same hostname?
For each server will be 1 hostname.
I can’t connect to wildcard cos limits of client - should be ensure that certificate = hostname.


#9

It’s not unusual to have many servers with the same hostname, if the purpose of the different servers is load balancing. You can create DNS A records that point at the various servers and clients will choose one at random.

If the servers have different names because they provide different services, you can nonetheless combine multiple names in the same certificate and avoid triggering a certificate issuance rate limit. Let’s Encrypt allows up to 100 subject alternative names (SANs) in a single certificate, which only counts as 1 issuance event for rate limit purposes. The resulting certificate will be valid for any of those names. By this method, you can cover up to 2000 new names within the same domain per week without a rate limit exemption.

Some people don’t like the SAN certificates because it reveals to a client that the different services are hosted on the same infrastructure. We don’t regard hiding these details as a legitimate reason for a rate limit exemption by itself, and in this case we would recommend using a wildcard or choosing a different certificate authority.

If these options don’t work for some other reason and the servers are being hosted on behalf of a large number of different customers, a rate limit exemption might still be available but we would probably need to hear more architectural details to understand why it’s really necessary.


#10

it looks like that:
groups>hosts
You can build san cert for each hosts in groups, but when you build another groups with same + other hosts in other groups and this count increasing and it can’t fit to 100 hostnames in 1 cert. While you adding more hosts and groups you again building certs and adding more logic in your automation for issuing certs.
Not good situation here :slight_smile:
How to renewal certificates in this case? :slight_smile: Adding more logic and checks for domains in certs.
Issuing 1 cert for each app/host is better to manage and more simple.


#12

Sorry, I didn’t quite understand what you wrote. Are you saying that you’re likely to exceed the rate limits because new customers will sign up frequently and you’ll have to issue a new certificate each time a new customer joins?


#13

Yes, you are right. That what i mean. It is one case of whole system.


#14

OK, one more question: is there some reason that you couldn’t use wildcard certificates for this, since Let’s Encrypt now offers them?


#15

Client verify server hostname - so it’s just impossible.


#16

Sorry, how do you mean that? What exactly is wrong with wildcards?

(I’m not trying to be difficult here—the people reviewing rate limit exemption requests will be skeptical and want to be sure that the rate limit exemption is really necessary. If they agree that it’s really necessary, a rate limit exemption is normally available.)


#17

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.