Rate limit and subdomains

Issuance Policy
#1

Hi all,
I need some help to face the following issue with rate limit and subdomains for my company setup.
Abstract:
In my company, we provide a full CMS solution hosted in k8s with several microservices components. We use a dedicated domain for those installation and move it to a Microsoft Azure DNS zone (let's call it company.azure).
Everytime we have to setup a new AKS cluster we generate a wildcard subdomain pointing at it with the standard *.customer.company.azure and we have CertManager on each cluster to provide the certificates needed (https://cert-manager.io/docs/).
Our (wrong) assumption was that using for each cluster a different requester and a different subdomain would have avoid to hit the limit, but today we started to receive the error of "too many certificates request for company.azure".
In this moment we create a certificate for each application inside the cluster, so about 10 certificates per installation, I am trying to understand if it could have sense to try to reduce them by using a single wildcard certificate per subdomain and how this is counted in the rate limits.
Basically I want to create a certificate matching the wildcard DNS domain *.customer.company.azure, is this feasible or the wildcard certificate can only match *.company.azure?

Thanks in advance for the help,
Carlo Alberto

2 Likes
#2

The certificates per domain limit is 50 per week.
[regardless of the number of entries in the cert - limited up to 100]

Is this feasible?
That depends on the number of expected customers and the number of certs you will need to cover all of them.
Can the wildcard cert only match *.company.azure?
No. It can match up to 100 FQDNs or 100 wildcards or and combination that doesn't exceed 100 entries [per cert].

So if you squeeze it right that's... (50 * 100)
Up to FIVE thousand new wildcard names covered per week!

4 Likes
#3

I agree with everything above, but depending on how customers are onboarded, I think you may end up needing to apply for a rate-limit exception (see Overrides here https://letsencrypt.org/docs/rate-limits/ )

2 Likes
#4

Or use more than one base domain :wink:
[aggregate regionally?]

1 Like
#5

Thanks,
that's what I already did, but I was looking at a "plan B" in case the request is not accepted :slight_smile:
We usually do not have high needs, but it can happen we have to spin more than one customer cluster per week like this time.

1 Like
#6

Thanks for the reply.
Actually my idea was to create a certificate per each subdomain (so one certificate per *.customerA.company.azure, one for *.customerB.company.azure and so on), to maintain isolation between clusters (eg I do not want customerA can create a valid website using customerB names) and avoid to have to update certificates everywhere each time a new cluster is created.
I think this should solve the rate limit issue (we are in the range of 4/5 new cluster per week maximum), but I was wonder if this is feasible or if I am forced to use a SAN certificates with several wildcard subdomains in it.

2 Likes
#7

Sure, it sounds like a perfectly good plan.

But even if in the course of doing your normal business, you sign up 50 customers/clusters a week, you can still ask Let's Encrypt to give you an overall exemption for company.azure.

As long as your use is legitimate and tries to minimize new certificates (as you plan to do with wildcards), I am sure they will be flexible with you.

2 Likes
#8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.