Public beta rate limits


#1

Per https://community.letsencrypt.org/t/beta-program-announcements/1631 there are rate limits in Private Beta. This thread was closed.

What will be rate limits in Public Beta, if any?


Too many certificates already issued
Exceeded the limit for certificates on single domain
Retrieving already issued certs
Double check on api rate limit
Rate Limit hit from reinstall
#2

Edit: This is incorrect. See answer below.


I believe the limits were simply to control who issued at certificate and how many certificates were active while LE was in closed beta as you required an invite per domain (as far as I am aware). I highly doubt once LE enters public beta there will be limits imposed on users.


#3

I’ll keep announcing changes in that thread. For today’s public beta launch the limits will remain:

  • Rate limit on registrations per IP is currently 10 per 3 hours
  • Rate limit on certificates per Domain is currently 5 per 7 days

The public beta removes the whitelist requirement, not the rate limits. I think there will always be some rate limits, though we intend to raise them from time to time.


Too many certificates already issued for
Do I need backups of my certificates?
Revoked a cert but not allowed to recreate due to rateLimit
Failures registering new subdomain certs in public beta
A large number of domains
Too many certificates already issued - rate limit?
Custom dir for validate domain
#4

thanks @jcjones

per Name is defined as ?


#5

Oops. Sorry, I updated that to “certificates per Domain” to match the descriptions in https://community.letsencrypt.org/t/beta-program-announcements/1631


#6

The certs per domain limit is particularly disappointing for a public beta. Simply having your root domain and a www subdomain encrypted uses up 2 of your 5 registrations a week. :confused:


#7

Thanks @jcjones

so certificates per domain mean for reissuances of the domain not how many domains within a SAN multi-domain cert ?

so a SAN multi-domain cert having domain1.com, www.domain1.com, domain2.com, www.domain2.com is counted as 1 certificate ? but you can only renew this SAN multi-domain cert 5 times per 7 days ?

there’s no limits on number of domains contained in a SAN multi-domain cert or up to std max 100 ?


#8

Correct. It’s a measure of the number of certificates we have to maintain the lifetime of, not necessarily how many you’re using.

Exactly.

We’ve set the limit to 100 out of an abundance of caution, as it appears that when you get over 100, some web browsers misbehave. We can probably raise that if anyone wants us to.


Rate limiting...How does it work and what does it mean?
SANs per cert and SNI for hosting service
Failures registering new subdomain certs in public beta
#9

What if i wanted a certificate like 10000-sans’s? It would be pretty neat :slight_smile:


#10

cheers @jcjones thanks for the clarificatio. Will start seeing how close to the public beta rate limits I can get :smiley:


#11

oh what about the use of --duplicate flag, does that count against the limits ?


#12

We offer a service which currently has 361 customers using custom domains. At the moment only 26 of them are enabled for SSL being as we have to buy new SAN certificates for each.

We would love to automate and enable all 361+ domains to use SSL. Are you able to confirm that the 100 SAN limit can be increased so that we can start working on integrating with the protocol?

Thanks!


SANs per cert and SNI for hosting service
#13

Do you really want all domains on one certificate though the size for RSA 2048bit would be larger and there would be performance overhead (well until LE supports ECC 256bit with smaller cert related file sizes than RSA2048bit)


SANs per cert and SNI for hosting service
#14

We really don’t want to, but unfortunately it looks like we are stuck using a single certificate until AWS ELB add support for SNI.


SANs per cert and SNI for hosting service
#15

[quote=“bah, post:14, topic:4772”]
until AWS ELB add support for SNI.
[/quote] ouch yeah as soon as AWS services are, they still have a few things missing i.e. AWS Route53 and DNSSEC support heh


#17

Maybe it shouldn’t be, but according to this commit, --agree-dev-preview is no longer necessary (is marked as deprecated in fact).
Same for the --server flag, now default is the trusted server.


#18

I use wildcards on my main domain and have quite some actively used subdomains. I would like wildcards, but as this doesn’t seem to happen anytime, i would like the limits per domain raised to 20-50 subdomains. Is there any problem in granting more certs per domain? The number of certs does not change, when i would need to buy more secondlevel domains for example, just to get the needed certificates. So the limit on subdomains seems a bit arbitrary, now that letsencrypt went public.


#19

Hi Community,

thank you all for your support.

I have the same question as @eswd

The request for subdomains of ddns.net and sytes.net have been reached.
Are there any solutions planed?

Thank you.
Regards,
Martin


#20

Yeah I’ve been this problem also. Seems to me that I’ll have to wait until restrictions are lowered after the beta phase -> Thread
It’s kind of annoying that I cannot renew my cert now as restrictions are applying also to certs that have already been issued to a dyndns subdomain.


#21

You can request one certificate which includes all of the 50 subdomains. This certificate will only count as one certificate for the main domain.