New Duplicate Certificate Rate Limit

griffin · May 17, 2021, 10:16pm

I hope that I'm not stealing the Let's Encrypt staff's thunder, but it has finally happened...

We asked...

They delivered!

github.com/letsencrypt/boulder

Add lower, faster duplicate certificate rate limit

letsencrypt:main ← letsencrypt:hourly-dupe-limit

opened 04:56PM - 26 Apr 21 UTC

aarongable

+99 -28

Add a new rate limit, identical in implementation to the current `CertificatesP…erFQDNSet` limit, intended to always have both a lower window and a lower threshold. This allows us to block runaway clients quickly, and give their owners the ability to fix and try again quickly (on the order of hours instead of days). Configure the integration tests to set this new limit at 2 certs per 2 hours. Also increase the existing limit from 5 to 6 certs in 7 days, to allow clients to hit the first limit three times before being fully blocked for the week. Also add a new integration test to verify this behavior. Note that the new ratelimit must have a window greater than the configured certificate backdate (currently 1 hour) in order to be useful. Fixes #5210

Note: This is not yet in production and thus not yet in force.

schoen · May 17, 2021, 10:36pm

Yay! Thanks @aarongable and colleagues.

(Of course this implementation is different from having the new rate limit applied in production, but I'm so happy to see this making progress!)

griffin · May 29, 2021, 3:50pm

I noticed that the wording of the current duplicate certificate rate limit has now changed in production. Still 7 days though.

Osiris · May 29, 2021, 6:57pm

Which change are you referring to @griffin? The rate limit docs still use phrasing from 2 years ago.

griffin · May 29, 2021, 7:11pm

This is the new wording I was meaning:

Osiris · May 29, 2021, 7:17pm

Aah, I see, the PR mentioned above is active in production Just that the newly developed rate limit hasn't been enabled yet. I get it now

kalosman3000 · May 29, 2021, 7:39pm

Griffin,

You have been truly helpful.

Much appreciated.

Thanks.
Kal Osman

griffin · May 29, 2021, 8:44pm

You are quite welcome!

system · June 28, 2021, 8:45pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
New rate limit meaning Issuance Policy	6	2814	September 5, 2017
Soft rate limit Issuance Policy	19	1957	May 9, 2021
Rate Limits clarification Issuance Policy	6	2150	September 4, 2017
Please add note to Rate Limits documentation Site Feedback	1	1254	January 16, 2017
Duplicate certificate limit? Help	6	1180	October 12, 2023

New Duplicate Certificate Rate Limit

Related topics