Limits per domain and security concern when poitning 3-rd party with subdomain

I allow usage on few subdomains in my domain to 3-rd party by pointing their server IP adresses with A record. That 3-rd party can make so many letsencrypt certification attempts (using web auth) that they will cause per domain limit to take effect and then I can’t issue letsencrypt certificates even for my own domain. I don’t see any method of protecting against this and that is a security concern.


In this case, what do you want to do?

If that subdomain going to be public shared to all users. You can add that to public suffix list. Just to exmpt the subdomains.(not sure if possible, however worth a try). In this case your domain will have a larger rate limit that unlikely to be hit.

If you are in control of domain and you are simply adding A records for thrid-party server, you may also include CAA record preventing them from obtaining certificates on their own (you may create your CAA policy using CAA Record Generator): IN A IN CAA 0 issue ";"

Note that such record would block issuance for from any publicly trusted CA. They’ll have to ask you to whitelist CA they want to use for certificates.

Also, this is not a solution if you want to allow them to use Let’s Encrypt, but impose limits on how many certificates they may obtain. In this case the best solution would to obtain certificates on their behalf using DNS challenge, but you’ll have to lift CAA record limitation temporarily, which may allow them to abuse this - unfortunately, ACME-specific extensions for CAA records (allowing only specific account IDs to issue, allowing only specific validation methods - like DNS-01 and not HTTP-01) are not yet available.


You may find the Renewal Exemption useful; you should always be able to renew your certificates when needed.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.