Limits in Public Suffixes List

jacky.jones · July 28, 2020, 12:12pm

Hello,

I would to clarify about the way how Let’s Encrypt interacts with public domains that belongs to Public Suffixes List.
If I let’s say have my enterprise domain mydomain.com and I would like to have shared subdomain for my customers apps.mydomain.com, for example.
Then my customers are running their own apps by urls
https://customer-one.apps.mydomain.com
https://customer-two.apps.mydomain.com
https://customer-three.apps.mydomain.com
The domain apps.mydomain.com is added to PSL respectively so they are considered as independent enteties.
Basically the question is:
Will my customers be able to issue their own LE certificates for their websites (like customer-one.apps.mydomain.com) if the number of issued certificates have already reached its limit for the base domain mydomain.com ?
Thank you in advance!

stevenzhu · July 28, 2020, 12:39pm

I'm not quite sure how your base domain would affect, but from the rate limit determination of *.apps.mydomain.com, each of the subdomains are considered as a "new domain" for rate limit purpose. (So you can imagine your apps.mydomain.com would effectively become something similar to a domain extension)

Example:

1.apps.mydomain.com's rate limit will not appear on 2..apps.mydomain.com.

However, if these apps are hosted on your server, maybe you want to consider getting a wildcard certificate for all subdomains of apps.mydomain.com?

9peppe · July 28, 2020, 2:47pm

Yes, they will each have their own rate limits.

There is something you need to keep in mind, though: you won't be able to get a certificate for apps.mydomain.com -- it would be just like asking for a certificate for .com. I don't know how this applies to mydomain.com.

So you should probably register a second domain myuserapps.com and put that one in the PSL.

aral · August 2, 2020, 4:45pm

@9peppe Thank you for your replies here, they helped me also. I just wanted to point out that according to this Wildcard certificates and Public Suffix List you can issue a LE certificate for a domain that’s in the private section of the Public Suffix List, just not for one in the ICANN section (.com, .org, etc.). So, unless something has changed since @jsha’s reply in that post, @jacky.jones should be able to get a certificate for apps.mydomain.com.

system · September 1, 2020, 4:45pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Subdomains letsencrypt limits quotas Issuance Policy	7	1145	February 9, 2022
Arbitrary (sub)^n-domains, rate limits, wildcards, and the public suffix list Issuance Tech	4	2376	April 23, 2016
Rate limits and DDNS subdomains Feature Requests	4	873	February 17, 2019
Let's Encrypt Limit Increase Status? Help	5	800	February 28, 2019
Please consider having "subdomain+domain" not be subject to the same 5/7-days rate limit Issuance Policy	6	4148	February 20, 2016

Limits in Public Suffixes List

Related topics