We are considering to use Let’s Encrypt for our website which will be visited by more than 40 millions users each day. As far as I know, everytime the certificate is renewed all devices need to request Let’s Encrypt. That means 40 millions requests a day. So can that workload be supported by Let’s Encrypt’s servers? Or is there any kind of cache mechanism between the browsers and Let’s Encrypt’s servers?
When a certificate is renewed, your server requests the certificate from Let's Encrypt (one time). Then your server delivers the certificate to those 40 million devices whenever they visit your site. In that respect, Let's Encrypt's servers are not involved in ordinary website visits.
There is a second aspect that your question does not ask about, but is relevant. And that is OCSP.
Unless your site implements OCSP stapling, then each of those 40 million devices will need to talk to Let's Encrypt's OCSP server every time they visit your site, to verify that the certificate has not been revoked.
However, if you implement OCSP stapling on your server (which is usually very simple to do, it'll be in your web server's docs), then your server will cache the OCSP response itself, and then deliver that to your 40 million devices. So once again, Let's Encrypt's capacity will not affect your website.
It's not mandatory to implement OCSP Stapling - Let's Encrypt has a very capable CDN caching the OCSP responses already, but if you want to lower your website's ongoing reliance on Let's Encrypt's servers, it's certainly a good idea.
You can verify whether OCSP Stapling is enabled on your website using Qualys' SSL Labs test.
7 Likes
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.