Please consider having "subdomain+domain" not be subject to the same 5/7-days rate limit


#1

There is a middle ground between “customer with a domain” and “public suffix”. For example for students at a university that have their own machines - “.device..edu”. That could be hundreds/thousands of different “domains” - but since you’re tracking it back to the same top level - it essentially lumps all of those students/users into a single rate limiting item.

I am definitely in agreement with the rate limit as applied to a particular single domain entry - i.e. re-issuances.

It sounded in another topic like you were working on a rate limit request form - will that address this?


#2

I think we’re essentially talking about two separate issues:

  • The Public Suffix List, which is an (admittedly rather long-term) stop-gap solution to determining boundaries between DNS names.
  • Let’s Encrypt’s usage of the PSL for rate limiting.

The first issue will hopefully be solved by the dbounds WG, though this will probably take years to be usable.

As for the rate limiting, the details (or an ETA) haven’t been publicly discussed yet, so I don’t know which use-cases it’s designed for. I would imagine something like student-specific subdomains for a university is something they would want to support.


#3

Echoing this request, as it’s exactly my use case–university students with individual subdomains. I was originally very excited about letsencrypt.org, both because of its simplicity and because few of my students can afford even $50 certs per machine, but the rate limit makes it completely unusable for them.


#4

I’d also really benefit from this and could use it for at least 2 projects I’m currently working on.

Once you have a few subdomains, that aren’t hosted on the same server/s, renewing with any level of regularity does become a concern.


#5

Yes, I was bitten by this domain rate limit during renewal last week. Having requested 5 certificates for subdomains in December I had to rerequest new certificates. Two or three days before this I requested a new 6th subdomain cert (for another virtual machine) and was only able to renew 4 certs until the 7 days where over. This was unexpected.
This made me change my renewal policy to 30 days instead of 15 days not to have expiring certificates because of this limitation.

What the reason for this limit? Or maybe someone has at least a use case for this? I am not sure whats the difference between 100 different names in a single cert and 100 different certs with a single name each. Especially compared to the very high limits of 500 request per IP per 3h for example I don’t see this limits on subdomains protects the LE Infrastructure at all.


Too many certificates already issued for: dlinkddns.com","status":429
#6

You can find a simple response here:

https://community.letsencrypt.org/t/quick-start-guide/1631?source_topic_id=9799

We know it’s restrictive at present; thank you for your patience in helping us ensure Let’s Encrypt is ready for the whole world.

LE is currently in the beta phase. Please be patience and don’t pretend a service to be immediately fully available just because it’s open to the public.

There are also other technical reasons (based on resources currently used by Let’s Encrypt to sign the certificates) that leaded toward the decision to rate limit the issuance of certificates to better evaluate the service performance and needs. You can find some more technical (and official) explanations in various other responses from Let’s Encrypt representatives in this forum.


#7

[quote=“ScottHelme, post:4, topic:9799, full:true”]
I’d also really benefit from this and could use it for at least 2 projects I’m currently working on.

Once you have a few subdomains, that aren’t hosted on the same server/s, renewing with any level of regularity does become a concern.
[/quote]indeed i’ve run into the current limits too many times due to subdomain usage so only way is to use paid ssl wildcard certs for such projects