We plan to launch a VPN service offering IKEv2 support, and iOS clients will be supported, which require each VPN server’s domain to have a certificate. But IKEv2 doesn’t support wildcard certificate, which means we need to generate an unique certificate for each of the VPN servers.
We’d like use letsencrypt if possible, but the number of servers is quite large and we will add more servers pretty frequently. All servers will share a registered domain, meaning the rate limit will be reached very frequently.
Are we eligible to request a rate limit bump? Will letsencrypt deny it if it’s for VPN only?
Hi @entram, Welcome to the Let's Encrypt community forum.
I'm not the person who makes decisions about this but I think you would be eligible. (Edit: Though I can't speak to @orangepizza's comment about whether our certificates would work for your purposes).
I recommend you put in an application for a rate limit adjustment and go from there Please make sure to provide as much information as possible. Sometimes folks leave important fields blank and we don't have the resources to follow-up on incomplete applications.
@orangepizza
Thanks for the heads up. Looks like Windows and Apple don’t actually check the usage info, because we could successfully connect via Windows and iOS clients during our tests.
@cpu
Thanks for the reply. Do we need to have the service online to make us legit while putting in the application? If not, we’re in a dilemma, because we can’t launch the service without the certificates, and we can’t have the certificates if we don’t have the service.
Also if we’re fortunate enough to be approved, will we be able to request again if the rate limit is reached again due to business growth? Or it’s a one time thing and we should request a rate limit that’s unreasonable for our current size?
@cpu@entram
I dug about this more, it was crt.sh bug: if there is no X509v3 Extended Key Usage: windows treats it as it authorzed for all usage. crt.sh thinks it’s not trusted for any usage other then tls server.
Working on them today! You should hear a response within the next week. @entram can you DM me with more info about the domain or ACME account ID in question?