Question regarding increasing rate limits

entram · April 10, 2019, 12:15pm

Hi,

We plan to launch a VPN service offering IKEv2 support, and iOS clients will be supported, which require each VPN server’s domain to have a certificate. But IKEv2 doesn’t support wildcard certificate, which means we need to generate an unique certificate for each of the VPN servers.

We’d like use letsencrypt if possible, but the number of servers is quite large and we will add more servers pretty frequently. All servers will share a registered domain, meaning the rate limit will be reached very frequently.

Are we eligible to request a rate limit bump? Will letsencrypt deny it if it’s for VPN only?

Regards.

orangepizza · April 10, 2019, 12:48pm

IPsec servers need cert that have different type in Extended Key Usage. Certs signed by Let's encrypt isn't vaild for IPsec/IKE use.

X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication

you need IPSEC End System in your cert.

cpu · April 10, 2019, 12:50pm

Hi @entram, Welcome to the Let's Encrypt community forum.

I'm not the person who makes decisions about this but I think you would be eligible. (Edit: Though I can't speak to @orangepizza's comment about whether our certificates would work for your purposes).

I recommend you put in an application for a rate limit adjustment and go from there Please make sure to provide as much information as possible. Sometimes folks leave important fields blank and we don't have the resources to follow-up on incomplete applications.

Thanks!

orangepizza · April 10, 2019, 12:58pm

https://crt.sh/?caid=16418

At least in windows, Let’s Encrypt Authority X3 cannot sign certs for IPsec.

entram · April 10, 2019, 1:26pm

@orangepizza
Thanks for the heads up. Looks like Windows and Apple don’t actually check the usage info, because we could successfully connect via Windows and iOS clients during our tests.

@cpu
Thanks for the reply. Do we need to have the service online to make us legit while putting in the application? If not, we’re in a dilemma, because we can’t launch the service without the certificates, and we can’t have the certificates if we don’t have the service.

Also if we’re fortunate enough to be approved, will we be able to request again if the rate limit is reached again due to business growth? Or it’s a one time thing and we should request a rate limit that’s unreasonable for our current size?

cpu · April 10, 2019, 1:33pm

I don't believe that's a problem but I can't speak authoritatively.

Usually we approve rate limits with some headroom. We also update rate limit adjustments when required by growth. Shouldn't be a problem.

entram · April 10, 2019, 2:13pm

Thanks. I’ll send the form.

entram · April 19, 2019, 3:42am

hi @cpu, I wonder how long does it usually take to process an application?

We still haven’t heard from letsencrypt. Does that mean we were rejected?

Regards.

orangepizza · April 19, 2019, 4:37am

@cpu @entram
I dug about this more, it was crt.sh bug: if there is no X509v3 Extended Key Usage: windows treats it as it authorzed for all usage. crt.sh thinks it’s not trusted for any usage other then tls server.

cpu · April 19, 2019, 12:13pm

Generally one to two weeks. Not hearing a response doesn't mean you were rejected.

jple · April 19, 2019, 7:00pm

Working on them today! You should hear a response within the next week. @entram can you DM me with more info about the domain or ACME account ID in question?

Thanks!

-JP

robstradling · April 29, 2019, 9:00am

The Microsoft Trusted Root Certificate Program only permits “ISRG Root X1” to be used for the Server Authentication trust purpose.

Microsoft publishes their root program metadata here:
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab

Here’s a human-readable view of the same metadata:

github.com

robstradling/authroot.stl/blob/master/authroot.tsv

SHA-1(Certificate)	SHA-256(Certificate)	MD5(Subject Name)	Key Identifier	EV Policy OID(s)	Friendly Name	CN, Last OU or O	RSA Key Size / ECC Curve	Not Before	Not After	Trust Purposes
71899A67BF33AF31BEFDC071F8F733B183856332	001686CD181F83A1B1217D305B365C41E3470A78A1D37B134A98CD547B92DAB3	1970A82FA9EC4110E3F6EADD44953A6C	2130C9FB00D74E98DA87AA2AD0A72EB14031A74C	1.3.6.1.4.1.782.1.2.1.8.1	Network Solutions	CN=Network Solutions Certificate Authority	2048	2011-01-01 00:00:00	2030-12-31 23:59:59	Server Authentication, Client Authentication, Code Signing, Secure Email, Time Stamping
B1EAC3E5B82476E9D50B1EC67D2CC11E12E0B491	007E452FD5CF838946696DFE37A2DB2EF3991436D27BCBAB45922053C15A87A8	5CE81B0B5A26BE9274B7E3591B38F66E	3FBDCD8EDFBED16B65443F60ECEA422E30701F68		POSTarCA	OU=POSTArCA	2048	2003-02-07 10:36:58	2023-02-07 11:06:58	Server Authentication, Client Authentication, Secure Email, Time Stamping, Encrypting File System
C09AB0C8AD7114714ED5E21A5A276ADCD5E7EFCB	00AB444ABD6BDBA33DA8DE569AC4ECDE326D1BE1A61442D5EEC3975A0C243F04	D68CD7B30882556427654BF0FFF1C113	84F7FA725E8864661D288CB077BD0C6A9F4C4D62		ANCERT Certificados Notariales	CN=ANCERT Certificados Notariales	2048	2004-02-11 15:58:30	2024-02-11 15:58:26	Server Authentication, Client Authentication, Secure Email, Code Signing, IP security user, Time Stamping, OCSP Signing
3753D295FC6D8BC39B375650BFFC821AED504E1A	016E1DCD5F78841BBEBBAE9DDEA08C8D7EC54E698E95BB778ECDD1E10D8BF4F9	CD918F7968C618A6A86E2270E59425A9	38BC5C3054DCE2BB20EFEE6F41A0316E5CFD8B75		ZETES TSP ROOT CA 001	CN=ZETES TSP ROOT CA 001	4096	2016-05-20 13:23:38	2036-05-20 13:23:38	Time Stamping, Document Signing, OCSP Signing, Client Authentication, Secure Email
20D80640DF9B25F512253A11EAF7598AEB14B547	02ED0EB28C14DA45165C566791700D6451D7FB56F0B2AB1D3B8EB070E56EDFF5	3B43FBB32E4AEBD9B46795552F1F9A03	B763E71ADD8DE908A65583A4E06A504165114249	2.16.840.1.114028.10.1.2	Entrust Root Certification Authority - EC1	CN=Entrust Root Certification Authority - EC1	secp384r1	2012-12-18 15:25:36	2037-12-18 15:55:36	Server Authentication, Client Authentication, Secure Email, Code Signing, Time Stamping
F9B5B632455F9CBEEC575F80DCE96E2CC7B278B7	0376AB1D54C5F9803CE4B2E201A0EE7EEF7B57B636E8A93C9B8D4860C96F5FA7	CF9381E42222DF55D1E3C07829CDFD1A	9D93C6538B5ECAAF3F9F1E0FE59995BC24F6948F	1.3.6.1.4.1.34697.2.1	AffirmTrust Commercial	CN=AffirmTrust Commercial	2048	2010-01-29 14:06:06	2030-12-31 14:06:06	Server Authentication, Client Authentication, Secure Email, Code Signing, Time Stamping, Encrypting File System, IP security tunnel termination, IP security user
E0B4322EB2F6A568B654538448184A5036874384	03950FB49A531F3E1991942398DFA9E0EA32D7BA1CDD9BC85DB57ED9400B434A	179616EAC79381FE42C8386D9E564849	A6B3E12B2B49B6D773A1AA94F501E773654CAC50		EDICOM	CN=ACEDICOM Root	4096	2008-04-18 16:24:22	2028-04-13 16:24:22	Server Authentication, Client Authentication, Secure Email, Code Signing, Time Stamping, Encrypting File System, IP security tunnel termination, IP security user
AEC5FB3FC8E1BFC4E54F03075A9AE800B7F7B6FA	04048028BF1F2864D48F9AD4D83294366A828856553F3B14303F90147F5D40EF	65586AD138B9B75E21B6BC3C18E973FB	65CDEBAB351E003E7ED574C01CB473470E1A642F	1.3.6.1.4.1.13177.10.1.3.10	CAROOT Firmaprofesional	CN=Autoridad de Certificacion Firmaprofesional CIF A62634068	4096	2009-05-20 08:38:15	2030-12-31 08:38:15	Server Authentication, Client Authentication, Secure Email, Code Signing, Time Stamping, Encrypting File System, IP security tunnel termination, IP security user
CB44A097857C45FA187ED952086CB9841F2D51B5	04ACFB3B24793F300F67EF87E44DD72CB9B28B204F389A7CD5AE28785C7D42CD	75623718D69408CE646CF0D6568B1684	2F5897D8A90598A5561FFBD9AB75EF023C3634C7		Common Policy	CN=Common Policy	2048	2007-10-15 15:58:00	2027-10-15 16:08:00	Server Authentication, Client Authentication, Secure Email, Code Signing, Time Stamping, Encrypting File System, IP security tunnel termination, IP security user
2DE16A5677BACA39E1D68C30DCB14ABE22A6179B	04F1BEC36951BC1454A904CE32890C5DA3CDE1356B7900F6E62DFA2041EBAD51	D2EE3D32D0C93797A68E21894F1ED97F	9E2E654F3E57F5AB7D96C68BDFB3356D4AE89E8B	1.3.6.1.4.1.17326.10.16.3.6.1.3.2.2, 1.3.6.1.4.1.17326.10.16.3.6.1.3.2.1, 1.3.6.1.4.1.17326.10.16.3.5.2, 1.3.6.1.4.1.17326.10.16.3.5.1, 1.3.6.1.4.1.17326.10.14.2.1.1, 1.3.6.1.4.1.17326.10.14.2.1.2	CHAMBERS OF COMMERCE ROOT - 2016	CN=CHAMBERS OF COMMERCE ROOT - 2016	4096	2016-04-14 07:35:48	2040-04-08 07:35:48	Server Authentication, Client Authentication, Secure Email, Code Signing, Time Stamping
971D3486FC1E8E6315F7C6F2E12967C724342214	0536801FBB443B3E905FD6D70D8C81EB88551BE8061299110D2B4F82E64CADE1	D37B307B42D5B4A47C41E334E7730CEB	BC733E2F9C910CBB8FCD77993ECC85E4CC586811		VI Registru Centras RCSC (RootCA)	CN=VI Registru Centras RCSC (RootCA)	4096	2008-07-21 11:47:46	2024-07-21 11:47:46	Server Authentication, Client Authentication, Secure Email, Code Signing, Time Stamping
742CDF1594049CBF17A2046CC639BB3888E02E33	058A40323EC8C46262C3052A5D357B91AC24D3DA26351B3FF4407E99F7A4E9B4	9C19D5641A9645B2

This file has been truncated. show original

crt.sh is reporting the information correctly.

orangepizza · April 29, 2019, 9:50am

yes, it was me forgeting import it few years ago and forgot about it.but then how OP used it for ipsec?

robstradling · April 29, 2019, 10:47am

Perhaps the OP’s software completely ignores the EKU extension, as permitted by https://tools.ietf.org/html/rfc4945#section-5.1.3.12.

system · May 29, 2019, 10:47am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.