Question related to rate limits for SAN certificates

Hello Community,

I am using Let's Encrypt with traefik.
There is one rule like this: traefik.http.routers.xxx-app.rule=(Host(app.xxx.de, www.app.xxx.de, abc.de, cde.de, efg.de, ...(50 others)) && (PathPrefix(/a, /b))

Will this case apply to the following paragraph from the docs and can it be issued without hitting the ratelimit?

"If you have a lot of subdomains, you may want to combine them into a single certificate, up to a limit of 100 Names per Certificate. Combined with the above limit, that means you can issue certificates containing up to 5,000 unique subdomains per week. A certificate with multiple names is often called a SAN certificate, or sometimes a UCC certificate. Note: For performance and reliability reasons, it’s better to use fewer names per certificate whenever you can."

Thanks in advance :slight_smile:

Kind regards

1 Like

I'm not sure what your question is? The specific rate limits are for specific items. The "limit of 100 Names per Certificate" specifically points to the maximum size of the SAN extension within a single certificate. Other rate limits are for number of certificates issued per time period for example.

Hi @LukasBlu1

please explain exact: What means 50 others.

x <= 100 - no problem, you can create one certificate with max. 100 domain names.

And you can create max. 50 different certificates per week.

So: 80 new different certificates with one domain name in one week -> you will hit the limit.

One certificate with 80 domain names -> no problem.

PS: A little unexact. Exact, if you use only subdomains. But if you have different domains, you can max. create 50 certificates per domain per week. So if other users create a lot of certificates abc.de or if you create a lot of these certificates per week with some same domain names, you will have trouble.

1 Like

Hi @JuergenAuer,

Sorry for that vague statement. It means 50 more unique domains, not subdomains. They are all pointing to our floating IP and they are directed to the same app using traefik.

Hi @Osiris
Does that mean when I am using 100 different domains not subdomains pointing to the same server, they are all covered by one certificate and it is only one issued?

You're talking about two separate things now. "(sub)domains pointing to [a] server" sounds like something related to DNS: (sub)domain to IP address, i.e., a host. That is distinct from what's covered by a certificate. You can determine what (sub)domains you want to have included in your certificate. At least, if your ACME client lets you to. Hint: most do.

That's not a problem if you create one certificate, then use it 60 - 85 days, then create the next.

It's a problem if you create such a certificate daily.

1 Like

@Osiris Frankly speaking, I have no idea about it. What I do know is: We have a Docker Swarm whose traffic is managed with Traefik. All of the domains are pointing to the exact same IP and are routed to the appropriate service. All domains are handled in one rule and then automatically get a certificate. In the documentation under "Multiple Domains from Router's Rule Example" Let's Encrypt - Traefik I can see that apparently only one certificate is issued, but I can't figure out to what extent the rate limit is then loaded.

@JuergenAuer Thanks that sounds good. Can I add antoher domain when the certificate is already issued?

So... You mean you have no idea how your Traefik handles certificate issuance? I'm stil not sure I understand what you're asking. If you're asking how to configure Traefik, I can't help you, as I don't have any experience with that software.

@Osiris no problem. I think Juergen got it and will bring light into the dark.

Juergen just re-iterated what the rate limit page already told you.

That's exact the problem. One time - ok. But then ... you will hit the limit.

Sounds that you don't have a plan. That's fatal, then you will create too much certificates.

I don't know and use Traefik. It's a rate limit question.

And if you don't save the certificates permanent, you will hit the limit very quickly - may be after 6 restarts.

1 Like

I don't exactly got why it will hit the limit. In case one I can add a domain to certificate then there is still only one certificate. In case two it cant be added there will be a new certificate added for the new domain.

No I don't have a plan. I am mainly a frontend developer and just followed tutorials but the app is running for 6 month without errors. But now I need more domains that customers are able to visit specific parts of the app with their own domain.

I only used a plugin for Traefik which should handle it like it seems in the description. I know their is a file on the server which contains a json file with all certificates saved. So I think their will no unneccery certificates issued. And I did about 10 deployments since december and the creation date of the certificate as I see in the browser is in december.

You can't modify existing certificates: if the content of a signed certificate is modified, the signature will become invalid. So even modifying a certificate (e.g., to add a (sub)domain) will mean you need to get a new certificate issued. This is because only Let's Encrypt can generate the signature with their private key.

So even if it looks like you only modify a single, existing certificate, technically you're requesting (and probably getting) a new one and perhaps afterwards "delete" the previous one (most clients will just move the previous one out of sight just in case). So even if it looks like you only got a single certificate, to Let's Encrypt it'll look like two certificates issued.

By the way, this is "certificates 101".

1 Like

Then it would be easier if you don't use some SAN certificates with a lot of domain names.

Instead, create one certificate per "one customer domain".

1 Like

But then I will hit the limit very quickly

@Osiris Ok. Thanks for the detailed explanation.

Why? Please explain.

1 Like

"The main limit is Certificates per Registered Domain (50 per week)" as I understand it this means that I can have 50 certificates per week.

"...into a single certificate, up to a limit of 100 Names per Certificate.." when I combine the domains I can have 5000 encrypted domains with 50 certificates.