But that’s exactly what it does. In fact, at the moment, the most certificates you can have per domain, ever, is 240. (20 domains per week, 12 weeks in 90 days, 240).
That’s perfectly valid, and if @jsha wants to confirm that THAT is the limiting factor, then of course that’s the end of the discussion. However, to me, that sounds counterintuitive. Signing a certificate isn’t computationally expensive.
I have a gut feeling that the validation of the hosts is where the resource contention issue lies. But that should be (relatively) trivial to scale, compared to a secure unit that’s actually SIGNING the cert.
That was a deliberately contrived example, but that’s not the main problem. The Public DNS list has stopped taking new registrations, because Letsencrypt has moved them suddenly and unexpectedly from a relatively unimportant and slow to update list of domain names, to a critical part of the internet infrastructure.
If you want to use your domain to provide services that is more than just ‘www.mydomain.com’ and ‘mail.mydomain.com’, and you’re not on the (un-updateable) Public DNS list, then you just can’t use Letsencrypt.
There was a router manufacturer who posted here around the middle of last year. He wanted to preload all his devices with a valid SSL certificate. That’s impossible. Something like https://uuid-goes-here.s3compatibleservice.com is impossible too.
I could simply and trivially register 1-s3compatibleservice.com, 2-s3compatibleservice.com, 3-s3compatibleservice.com, etc, and it would have exactly the same load on LE as if the per-domain limits were removed.
With the per-domain limits, I have to ‘cheat’ and put MORE load on the backend machines, because I need to hammer the machines with certificate requests as soon as I’m able to, rather than renewing them when needed.
That’s why I don’t understand the point behind it.
Edit: I should point out, I’m mainly doing IPv6 work, and IoT stuff, which is why this limit keeps bothering me.
Edit 2: Here’s a less contrived example. Google is shutting down some Nest thermostats. Lets say I wanted to open source them so people could keep using them. Each Nest device has a unique name and appears through NAT from where it’s located. Let’s assume that 5000 of them are revived with the open source code. They’ll slowly appear as they’re re-flashed with the new firmware, and then they’d want a valid SSL certificate, because you don’t want someone MitM’ing your house temperature. But because mynestname.opensourcenestcode.org (or whatever) is limited to 240 hosts, it can’t be done.