Query about request limits (registered domains)

We’re about to set up some infrastructure which will move approximately 12000 domains from their current HTTP only service to use HTTPS.

From what I can see on the rate limits page there doesn’t seem to be any limit to us setting up certificates for the unique domains, such as example.com, example.co.uk, example.org.uk, but we also have some other domains which are subdomains of a provider, as we are a UK school provider, these are similar to the following, .enfield.sch.uk, so the top result in Google is for www.southgate.enfield.sch.uk, and we might also have the following domains - www.enfieldcs.enfield.sch.uk, www.bishopstopfords.enfield.sch.uk, - for which we will also need to issue certificates for.

Obviously we might then run into issues such as the number of distinct domains we’re issuing for if letsencrypt considers the .enfield.sch.uk to be the registered domain rather than the southgate.enfield.sch.uk domain. Also, we’ll be issuing something in the order of 4000 .co.uk domains and I can’t see anything in the rate limit docs which might suggest that issuing 12000 unique domains would be an issue (from a single IP address, so long as they validate and we don’t exceed the 20/40 reqs/sec.)

Can anyone weigh in if they know any different?

We’re going to put processes in place if a domain is removed from our system it will be revoked and deleted, both in terms of the cert/key/pem and from the list of domains on our system.
Also, we’ll not be sending any requests to LetsEncrypt until we have confirmed DNS resolves to our infrastructure’s IP address which should mean that validation shouldn’t have reason to fail; at least not repeatedly…

Kind regards,

For users of the ACME v2 API you can create a maximum of 300 New Orders per account per 3 hours.

ACME v2 has rate limit for that so there is a limit. 300 per account X 10 accounts 3000 certs per 3 hours?
and wouldn’t sustained speed cert generation (like 10cert/s for hours) cause “Ridiculously excessive traffic” ip ban? did it need to hit other limit first to trigger?

Yes, if there are more than 50 subdomains that you're putting on separate certificates, you'd need a rate limit exemption for these (or you'd need to initially issue them in separate weeks).

That's good for avoiding failed validations; I assume you're aware that it doesn't affect the rate limits in other ways.

Okay, thank you for your answers @schoen, so it looks like we’re going to have to get in contact with LetsEncrypt early (we need to perform this migration over the summer before the schools return in September) as I know that they warn that it can take a number of weeks to look into requests for rate limit exemptions/increases.

Thanks @orangepizza I hadn’t seen the 300 certs/3h limit anywhere. That wouldn’t be too bad as we could batch our domains over several weeks to give us breathing room. But it seems we may have other issues.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.