Please have pity on a newbie

I would like to enable SSL on our church web site. I have a VERY basic question – please don’t mock me!! I’m using a LetsEncrypt certificate on me personal web page, but that has very little traffic.

The “rate limit” page says “The main limit is Certificates per Registered Domain , (50 per week). A registered domain is, generally speaking, the part of the domain you purchased from your domain name registrar. For instance, in the name www.example.com , the registered domain is example.com . In new.blog.example.co.uk , the registered domain is example.co.uk . We use the Public Suffix Listto calculate the registered domain.

Does this mean that only 50 people per week can use the web site? In other words, is the certificate “issued” when the user accesses the web site and uses the certificate? Or is limiting me to the number of domains?

Thank you very much,
…Jim…

1 Like

The word issued refers to how many times a certificate is issued to (or renewed by) the requesting client software. Or to put it another way, a certificate is issued when the software client obtain or renews a certificate. It does not refer to how many times someone connects to the site using the certificate.

2 Likes

I am going to ask again for your forgiveness. I’ve been programming for 35 years, but never had to deal with web site security before – there were always other people for that!

“a certificate is issued when the software client obtain…” Is the software client the web server or the person sitting in Timbuktu views the web site with their browser.

I guess the bottom line question is: If the certificate limits to 50 issues a week – does that mean that only 50 people can access the web site per week?

Thanks again!
…J…

Hi @jfstoves,

The certificate is a file which confirms that the certificate authority has verified the site’s cryptographic key. The content of the file doesn’t change and it doesn’t get “used up” in any way. The certificate authority (like Let’s Encrypt) doesn’t necessarily know when the certificate is used (presented), or where, by whom, or to whom—much like a government entity that issues a driver license doesn’t necessarily know when or where you show that license to someone.

Certificate issuance means that the certificate authority creates a new certificate. For Let’s Encrypt, this only has to happen once every couple of months. Since the certificate is a file, it can be copied indefinitely and used over and over again without any further intervention by the CA¹. The CA does not necessarily know, and does not attempt to control or restrict, how many people visit your web site. The act of visiting your site will cause a use of your certificate, but that’s distinct from the issuance (creation) of the certificate.

The “client software” that requests issuance of the certificate is usually a tool like Certbot that you run on your web server for this purpose.

As a specific example, this site (community.letsencrypt.org, the Let’s Encrypt Community Forum) uses Let’s Encrypt certificates. The site is quite popular and is visited by many thousands of people per day, so its certificate is used (and verified by individual users’ web browsers) many thousands of times per day. However, in the whole history of this site, it has only needed to have 27 certificates issued from Let’s Encrypt.

https://crt.sh/?Identity=community.letsencrypt.org&iCAID=16418

Those 27 certificates are the only thing that counts against the rate limit that you read about, and you can see that the site has only needed to issue 27 certificates over the course of 2.5 years!

¹ There is a mechanism called OCSP and another mechanism called OCSP stapling in which the CA can be involved on an ongoing basis in proactively confirming that the certificate hasn’t been revoked and is still valid. The OCSP mechanisms can involve browsers choosing to contact the CA to check that the certificate is still good, which does use some CA resources and require ongoing action on the CA’s part. Nonetheless, Let’s Encrypt has no particular limitation that I know of on how often OCSP queries will be answered, and these technologies aren’t associated with a particular Let’s Encrypt rate limit or limit on how often people can visit a web site. Perhaps a limit exists or would exist if, say, hundreds of millions of users frequently used browsers to visit a site in a way that resulted in OCSP queries on each visit. So far, this has never been an issue in the whole history of the Let’s Encrypt project.

5 Likes

jfstoves – I apologize for the delay. Work so screws up my life. And taxes too.

BUT – this was exactly the explanation I needed! Thank you so much.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.