Public beta rate limits

zakjan 2015-12-02 15:41:46 UTC #1

Per https://community.letsencrypt.org/t/beta-program-announcements/1631 there are rate limits in Private Beta. This thread was closed.

What will be rate limits in Public Beta, if any?

Too many certificates already issued

Exceeded the limit for certificates on single domain

Retrieving already issued certs

Rate Limit hit from reinstall

Double check on api rate limit

dwilson390 2015-12-02 19:58:59 UTC #2

Edit: This is incorrect. See answer below.

I believe the limits were simply to control who issued at certificate and how many certificates were active while LE was in closed beta as you required an invite per domain (as far as I am aware). I highly doubt once LE enters public beta there will be limits imposed on users.

jcjones 2015-12-03 16:46:08 UTC #3

I'll keep announcing changes in that thread. For today's public beta launch the limits will remain:

Rate limit on registrations per IP is currently 10 per 3 hours
Rate limit on certificates per Domain is currently 5 per 7 days

The public beta removes the whitelist requirement, not the rate limits. I think there will always be some rate limits, though we intend to raise them from time to time.

Too many certificates already issued for

Do I need backups of my certificates?

Revoked a cert but not allowed to recreate due to rateLimit

Failures registering new subdomain certs in public beta

A large number of domains

Too many certificates already issued - rate limit?

Custom dir for validate domain

eva2000 2015-12-03 16:55:10 UTC #4

thanks @jcjones

per Name is defined as ?

jcjones 2015-12-03 17:10:11 UTC #5

Oops. Sorry, I updated that to "certificates per Domain" to match the descriptions in https://community.letsencrypt.org/t/beta-program-announcements/1631

Leliana 2015-12-03 18:08:18 UTC #6

The certs per domain limit is particularly disappointing for a public beta. Simply having your root domain and a www subdomain encrypted uses up 2 of your 5 registrations a week.

eva2000 2015-12-03 18:16:48 UTC #7

Thanks @jcjones

so certificates per domain mean for reissuances of the domain not how many domains within a SAN multi-domain cert ?

so a SAN multi-domain cert having domain1.com, www.domain1.com, domain2.com, www.domain2.com is counted as 1 certificate ? but you can only renew this SAN multi-domain cert 5 times per 7 days ?

there's no limits on number of domains contained in a SAN multi-domain cert or up to std max 100 ?

jcjones 2015-12-03 18:52:53 UTC #8

Correct. It's a measure of the number of certificates we have to maintain the lifetime of, not necessarily how many you're using.

Exactly.

We've set the limit to 100 out of an abundance of caution, as it appears that when you get over 100, some web browsers misbehave. We can probably raise that if anyone wants us to.

Rate limiting...How does it work and what does it mean?

SANs per cert and SNI for hosting service

Failures registering new subdomain certs in public beta

kerio 2015-12-03 18:56:47 UTC #9

What if i wanted a certificate like 10000-sans's? It would be pretty neat

eva2000 2015-12-03 19:00:54 UTC #10

cheers @jcjones thanks for the clarificatio. Will start seeing how close to the public beta rate limits I can get

eva2000 2015-12-03 19:14:03 UTC #11

oh what about the use of --duplicate flag, does that count against the limits ?

bah 2015-12-03 19:40:31 UTC #12

We offer a service which currently has 361 customers using custom domains. At the moment only 26 of them are enabled for SSL being as we have to buy new SAN certificates for each.

We would love to automate and enable all 361+ domains to use SSL. Are you able to confirm that the 100 SAN limit can be increased so that we can start working on integrating with the protocol?

Thanks!

SANs per cert and SNI for hosting service

eva2000 2015-12-03 20:02:39 UTC #13

Do you really want all domains on one certificate though the size for RSA 2048bit would be larger and there would be performance overhead (well until LE supports ECC 256bit with smaller cert related file sizes than RSA2048bit)

SANs per cert and SNI for hosting service

bah 2015-12-03 20:17:34 UTC #14

We really don't want to, but unfortunately it looks like we are stuck using a single certificate until AWS ELB add support for SNI.

SANs per cert and SNI for hosting service

eva2000 2015-12-03 20:19:12 UTC #15

ouch yeah as soon as AWS services are, they still have a few things missing i.e. AWS Route53 and DNSSEC support heh

Octal 2015-12-04 08:16:22 UTC #17

Maybe it shouldn't be, but according to this commit, --agree-dev-preview is no longer necessary (is marked as deprecated in fact).
Same for the --server flag, now default is the trusted server.

allo 2015-12-04 09:11:56 UTC #18

I use wildcards on my main domain and have quite some actively used subdomains. I would like wildcards, but as this doesn't seem to happen anytime, i would like the limits per domain raised to 20-50 subdomains. Is there any problem in granting more certs per domain? The number of certs does not change, when i would need to buy more secondlevel domains for example, just to get the needed certificates. So the limit on subdomains seems a bit arbitrary, now that letsencrypt went public.

mrbscreen 2015-12-04 09:57:30 UTC #19

Hi Community,

thank you all for your support.

I have the same question as @eswd

The request for subdomains of ddns.net and sytes.net have been reached.
Are there any solutions planed?

Thank you.
Regards,
Martin

testos 2015-12-04 10:59:57 UTC #20

Yeah I've been this problem also. Seems to me that I'll have to wait until restrictions are lowered after the beta phase -> Thread
It's kind of annoying that I cannot renew my cert now as restrictions are applying also to certs that have already been issued to a dyndns subdomain.

sjerdo 2015-12-04 14:18:50 UTC #21

You can request one certificate which includes all of the 50 subdomains. This certificate will only count as one certificate for the main domain.