Public beta rate limits


#35

I agree with @allo, today, i started using letsencrypt, after few tests to really understand how it works, i reached out the limit of 5 per domain … As a result, no certificate that matches my needs and no more try before … 7 days !
This limitation really needs to be extended/changed, so we can really “beta test”.


#36

It should probably be documented, but if you’re testing, you should use the staging server for issuing certificates so you don’t run into the limits when you want to get something publicly trusted.


#37

Was bitten by the 5 domains per 7 days rate limit also while testing.
At Sovereign, we want to use Lets Encrypt certs and completely drop self signed certs.
Everything is provisioned automatically through ansible including the certs and we’d like to issue one per service because it is much cleaner and isolated. (from a provisioning standpoint).
We already have more than 5 subdomains for a full provision, so that means the rate limit will kick in during provision and fail.

Are there plans to drop or increase the limit?


#38

probably the question should be not if but when :smile:

hopefully LE folks gives us a nice holiday gift and raises the limit i.e. 100 domains per 7 days :slight_smile:


#39

That would be nice to have a word from someone officialy. These rate limits are too limitating.

For example I use Docker to deploy automatically my websites and sometime I need to restart the containers and so to renew the certificates… which I can’t do anymore since I used too many of them.

Meaning that I need to revert my websites from using https to http… And this switch become really really boring when servers use HTST (https://fr.wikipedia.org/wiki/HTTP_Strict_Transport_Security) cuz it prevents users from visiting website which had https support in the past.


#40

I just got rate limited, and this is purely on the back of an hour’s tweaking of an existing configuration, adding a few (1-3 subdomains) for an existing hostname, and trying to reissue. I understand the instinct towards an overabundance of caution in the beta stage but having to wait a week to change certs is a bit excessive.


#41

Another vote for increasing the rate limit. Increasing the rate limit to a little higher to say 20 would go a long way.


#42

Is there a way to delete currently active certificates and reset the rate limit? I did some automation testing and got limited and now would like to delete all the old testing certs and get new ones. A feature luke that would be great, at least for testing purposes like mine.


#43

This, right here:

More people should probably consider doing this when running tests for stuff.

Unfortunately no. For any issued certificates, Let’s Encrypt has to provide OCSP responses for the validity period. See the above comment about testing with the staging environment.


#44

Thanks for pointing me in the right direction. I didn’t know about the tight limits before I started testing. They really should make a global notice for using the staging system for development.


#45

Current documentation says 5 per 7 days and 10 per 30. So still too little for many people AND you need to shift your certificate requests to match the 7 days spacing.

Give us 100 per 30 days and domain. I guess this will solve most use cases. More than 10 is just power user, more than 100 gets into the range where commercial certifcates may be an option. (I would not mind getting more free certificates either ;-))


#46

Please don’t configure your web servers or Docker containers to auto-issue on startup. You should keep a cache of private keys and recently issued certificates, and reissue only if they are out of date.

This is partly to make sure you use Let’s Encrypt’s resources most efficiently, but mainly it’s good for the uptime and deployability of your service. If Let’s Encrypt has an outage at the same time you are deploying your site, you don’t want to be prevented from completing your deploy. And even if there is no outage, Let’s Encrypt may be slow to issue, delaying your deploy.

I agree the current rate limits are tough to work with. We’re working on ways to tweak them to fit common cases better, but they will take some time to implement. Very much appreciate your patience!


#47

Thank you @jsha for your answer. I will do that in the future !


#48

+1 to being able to refresh the limit by clearing certificates / introduce more realistic limits.

As Laravel Forge wasn’t working properly for me (it didn’t like that I had a custom nginx config), when installing the certificates on my existing dev site, I did some experimentation on some new temporary sites to work out what the issue was.

As Forge is just a single button install, there’s no possibility of “using the staging server” for testing. So I’ve now hit this limit and can’t even get the certificate installed properly on my dev site let alone my live site.


#49

This would be bad form. They are rate limits, not usage limits - allowing this would escalate the problem rate limits are trying to solve - undue load on Let’s Encrypt servers.

I’m also for more realistic limits too - it’s likely the current limits are in place to make sure we get reliable service for issuance whilst there’s a big boom of interest - as weeks go on requests should level out and they’ll be able to support a higher load before Public Launch :smile:


#50

@jsha with regards to Testing Against the Let's Encrypt Staging Environment, is there still a private beta staging server rate limit in place too ?

during private beta there was rate limits, so is that still upheld or removed ?

edit: oh never mind private beta rate limit was against non-staging server too heh


#51

The staging server has much higher rate limits. I don’t remember offhand what they are, but if you run into them let me know and I’ll look into it!


#52

Yeah i ran into the rate limits during private beta and public beta now but i believe both instances were against non-staging server heh … I slowed down my integration testing for now, waiting for rate limits to increase and I see new code is being introduced into the client which I’d need to take into account i.e. --staging flag https://github.com/letsencrypt/letsencrypt/pull/1848 :slight_smile:


#53

Is there any news on raising the limit? I have not yet run into it but fully implementing it in my situation would require a significantly higher limit per domain.
I’m running a server which hosts a whole lot of virtual servers all with their own IP, webserver instances and whatnot.
Those virtual servers all get a subdomain to operate from, right now providing them all with a certificate would easily involve generating more then the set limit for my domain.
Somewhere in the ballpark of 20 to 30 at this particular point in time.
Increasing this limit would greatly help with a more broad implementation of LE certificates.


#54

See this thread in which it’s stated;

which is probably the best way forward for you.