Question regarding increasing rate limits

Hi,

We plan to launch a VPN service offering IKEv2 support, and iOS clients will be supported, which require each VPN server’s domain to have a certificate. But IKEv2 doesn’t support wildcard certificate, which means we need to generate an unique certificate for each of the VPN servers.

We’d like use letsencrypt if possible, but the number of servers is quite large and we will add more servers pretty frequently. All servers will share a registered domain, meaning the rate limit will be reached very frequently.

Are we eligible to request a rate limit bump? Will letsencrypt deny it if it’s for VPN only?

Regards.

IPsec servers need cert that have different type in Extended Key Usage. Certs signed by Let’s encrypt isn’t vaild for IPsec/IKE use.

X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication

you need IPSEC End System in your cert.

Hi @entram, Welcome to the Let's Encrypt community forum. :wave:

I'm not the person who makes decisions about this but I think you would be eligible. (Edit: Though I can't speak to @orangepizza's comment about whether our certificates would work for your purposes).

I recommend you put in an application for a rate limit adjustment and go from there :slight_smile: Please make sure to provide as much information as possible. Sometimes folks leave important fields blank and we don't have the resources to follow-up on incomplete applications.

Thanks!

https://crt.sh/?caid=16418

At least in windows, Let’s Encrypt Authority X3 cannot sign certs for IPsec.

2 Likes

@orangepizza
Thanks for the heads up. Looks like Windows and Apple don’t actually check the usage info, because we could successfully connect via Windows and iOS clients during our tests.

@cpu
Thanks for the reply. Do we need to have the service online to make us legit while putting in the application? If not, we’re in a dilemma, because we can’t launch the service without the certificates, and we can’t have the certificates if we don’t have the service.

Also if we’re fortunate enough to be approved, will we be able to request again if the rate limit is reached again due to business growth? Or it’s a one time thing and we should request a rate limit that’s unreasonable for our current size?

1 Like

I don't believe that's a problem but I can't speak authoritatively.

Usually we approve rate limits with some headroom. We also update rate limit adjustments when required by growth. Shouldn't be a problem.

Thanks. I’ll send the form.

3 Likes

hi @cpu, I wonder how long does it usually take to process an application?

We still haven’t heard from letsencrypt. Does that mean we were rejected?

Regards.

@cpu @entram
I dug about this more, it was crt.sh bug: if there is no X509v3 Extended Key Usage: windows treats it as it authorzed for all usage. crt.sh thinks it’s not trusted for any usage other then tls server.

1 Like

Generally one to two weeks. Not hearing a response doesn't mean you were rejected.

Working on them today! You should hear a response within the next week. @entram can you DM me with more info about the domain or ACME account ID in question?

Thanks!

-JP

1 Like

The Microsoft Trusted Root Certificate Program only permits “ISRG Root X1” to be used for the Server Authentication trust purpose.

Microsoft publishes their root program metadata here:
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab

Here’s a human-readable view of the same metadata:

crt.sh is reporting the information correctly.

2 Likes

yes, it was me forgeting import it few years ago and forgot about it.but then how OP used it for ipsec?

Perhaps the OP’s software completely ignores the EKU extension, as permitted by https://tools.ietf.org/html/rfc4945#section-5.1.3.12.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.