Are the “Overall Requests” rate limits based on the IP or Account? This is not clear on the Official rate limits (see https://letsencrypt.org/docs/rate-limits/)
I think it’s IP address. At least, it’s not enforced on the Boulder level from what I can see, so the load balancers/CDN would have to do some fancy footwork to figure out the account ID.
Edit: Now that I’ve read it again, the Overall Requests paragraph still refers to ACME v1 endpoints. Filed https://github.com/letsencrypt/website/issues/942
Not the answer I was hoping for
I doubt I’ll ever hit this, I’m just working out some features on my client to clear an authorization or abandon an order (and clear all related auths)
They’re based on source IP address. Like @_az mentioned (thanks!) these limits are enforced ahead of Boulder and any processing of request JWS’ that would tie a request to a particular account ID.