Public beta rate limits

I’ll keep announcing changes in that thread. For today’s public beta launch the limits will remain:

  • Rate limit on registrations per IP is currently 10 per 3 hours
  • Rate limit on certificates per Domain is currently 5 per 7 days

The public beta removes the whitelist requirement, not the rate limits. I think there will always be some rate limits, though we intend to raise them from time to time.

7 Likes

thanks @jcjones

per Name is defined as ?

Oops. Sorry, I updated that to “certificates per Domain” to match the descriptions in https://community.letsencrypt.org/t/beta-program-announcements/1631

1 Like

The certs per domain limit is particularly disappointing for a public beta. Simply having your root domain and a www subdomain encrypted uses up 2 of your 5 registrations a week. :confused:

1 Like

Thanks @jcjones

so certificates per domain mean for reissuances of the domain not how many domains within a SAN multi-domain cert ?

so a SAN multi-domain cert having domain1.com, www.domain1.com, domain2.com, www.domain2.com is counted as 1 certificate ? but you can only renew this SAN multi-domain cert 5 times per 7 days ?

there’s no limits on number of domains contained in a SAN multi-domain cert or up to std max 100 ?

Correct. It’s a measure of the number of certificates we have to maintain the lifetime of, not necessarily how many you’re using.

Exactly.

We’ve set the limit to 100 out of an abundance of caution, as it appears that when you get over 100, some web browsers misbehave. We can probably raise that if anyone wants us to.

1 Like

What if i wanted a certificate like 10000-sans’s? It would be pretty neat :slight_smile:

cheers @jcjones thanks for the clarificatio. Will start seeing how close to the public beta rate limits I can get :smiley:

oh what about the use of --duplicate flag, does that count against the limits ?

We offer a service which currently has 361 customers using custom domains. At the moment only 26 of them are enabled for SSL being as we have to buy new SAN certificates for each.

We would love to automate and enable all 361+ domains to use SSL. Are you able to confirm that the 100 SAN limit can be increased so that we can start working on integrating with the protocol?

Thanks!

Do you really want all domains on one certificate though the size for RSA 2048bit would be larger and there would be performance overhead (well until LE supports ECC 256bit with smaller cert related file sizes than RSA2048bit)

We really don’t want to, but unfortunately it looks like we are stuck using a single certificate until AWS ELB add support for SNI.

[quote=“bah, post:14, topic:4772”]
until AWS ELB add support for SNI.
[/quote] ouch yeah as soon as AWS services are, they still have a few things missing i.e. AWS Route53 and DNSSEC support heh

Maybe it shouldn’t be, but according to this commit, --agree-dev-preview is no longer necessary (is marked as deprecated in fact).
Same for the --server flag, now default is the trusted server.

1 Like

I use wildcards on my main domain and have quite some actively used subdomains. I would like wildcards, but as this doesn’t seem to happen anytime, i would like the limits per domain raised to 20-50 subdomains. Is there any problem in granting more certs per domain? The number of certs does not change, when i would need to buy more secondlevel domains for example, just to get the needed certificates. So the limit on subdomains seems a bit arbitrary, now that letsencrypt went public.

Hi Community,

thank you all for your support.

I have the same question as @eswd

The request for subdomains of ddns.net and sytes.net have been reached.
Are there any solutions planed?

Thank you.
Regards,
Martin

Yeah I’ve been this problem also. Seems to me that I’ll have to wait until restrictions are lowered after the beta phase -> Thread
It’s kind of annoying that I cannot renew my cert now as restrictions are applying also to certs that have already been issued to a dyndns subdomain.

You can request one certificate which includes all of the 50 subdomains. This certificate will only count as one certificate for the main domain.

@jcjones Is there any API call to list all certificates issued for the registration?

This does not really help.

When i start a new project, i need a certificate with the new subdomain in it. This means, i need a new certificate, independend from if i want to add a domain to the common certificate or if i want a certificate just for the new subdomain. So i would now need to request a new cert for the new subdomain now, and at the next renewal time i need to remember to add the new subdomain to the common certificate.

But both do not really help, when i hit the API limit and want now to add a new subdomain (either as single cert or as new common cert with one subdomain more), which will only work after 60 days. Which effectively means, that my new project is for 60 days only available unencrypted.

And on the other hand, it may be not wanted to have all subdomains on the same cert.

It is also impractical for independend configuration of the subdomains.
For example i use a configuration for my webserver, where i can do touch sites/newdomain and the needed stuff (webroot, log directory, server configuration) is created on reload of the webserver. I thought about adding “add letsencrypt certificate” there, but this will not work with the limit.

I see the point in some limit, but i think it should be like 50-100. Who needs more than 100 subdomains may want to buy a wildcard certificate somewhere anyway. But a moderate number of subdomains should be possible. So better a global domain limit than a subdomains-per-domain limit. It should not make any difference, if i sign 100 domains or 100 subdomains.

1 Like