Rate limit and subdomains

CarloAlbertoS · September 23, 2020, 9:26pm

Hi all,
I need some help to face the following issue with rate limit and subdomains for my company setup.
Abstract:
In my company, we provide a full CMS solution hosted in k8s with several microservices components. We use a dedicated domain for those installation and move it to a Microsoft Azure DNS zone (let's call it company.azure).
Everytime we have to setup a new AKS cluster we generate a wildcard subdomain pointing at it with the standard *.customer.company.azure and we have CertManager on each cluster to provide the certificates needed (https://cert-manager.io/docs/).
Our (wrong) assumption was that using for each cluster a different requester and a different subdomain would have avoid to hit the limit, but today we started to receive the error of "too many certificates request for company.azure".
In this moment we create a certificate for each application inside the cluster, so about 10 certificates per installation, I am trying to understand if it could have sense to try to reduce them by using a single wildcard certificate per subdomain and how this is counted in the rate limits.
Basically I want to create a certificate matching the wildcard DNS domain *.customer.company.azure, is this feasible or the wildcard certificate can only match *.company.azure?

Thanks in advance for the help,
Carlo Alberto

rg305 · September 23, 2020, 9:54pm

The certificates per domain limit is 50 per week.
[regardless of the number of entries in the cert - limited up to 100]

Is this feasible?
That depends on the number of expected customers and the number of certs you will need to cover all of them.
Can the wildcard cert only match *.company.azure?
No. It can match up to 100 FQDNs or 100 wildcards or and combination that doesn't exceed 100 entries [per cert].

So if you squeeze it right that's... (50 * 100)
Up to FIVE thousand new wildcard names covered per week!

jvanasco · September 23, 2020, 9:56pm

I agree with everything above, but depending on how customers are onboarded, I think you may end up needing to apply for a rate-limit exception (see Overrides here https://letsencrypt.org/docs/rate-limits/ )

rg305 · September 23, 2020, 9:59pm

Or use more than one base domain
[aggregate regionally?]

CarloAlbertoS · September 24, 2020, 8:26am

Thanks,
that's what I already did, but I was looking at a "plan B" in case the request is not accepted
We usually do not have high needs, but it can happen we have to spin more than one customer cluster per week like this time.

CarloAlbertoS · September 24, 2020, 8:30am

Thanks for the reply.
Actually my idea was to create a certificate per each subdomain (so one certificate per *.customerA.company.azure, one for *.customerB.company.azure and so on), to maintain isolation between clusters (eg I do not want customerA can create a valid website using customerB names) and avoid to have to update certificates everywhere each time a new cluster is created.
I think this should solve the rate limit issue (we are in the range of 4/5 new cluster per week maximum), but I was wonder if this is feasible or if I am forced to use a SAN certificates with several wildcard subdomains in it.

_az · September 24, 2020, 8:56am

Sure, it sounds like a perfectly good plan.

But even if in the course of doing your normal business, you sign up 50 customers/clusters a week, you can still ask Let's Encrypt to give you an overall exemption for company.azure.

As long as your use is legitimate and tries to minimize new certificates (as you plan to do with wildcards), I am sure they will be flexible with you.