Rate limit clarification


#1

Hi, I have a large set of servers currently operating under the same ‘Registered Domain’. Each of these servers requests a Let’s Encrypt certificate for it’s own FQDN, let’s say server1.abcd.com.

Does the rate limiting mean that:

  • We can add and request certs for up to 50 new servers per week without issues?

  • Even if we have a few thousands of servers with previously issued certificates, they can all renew without problems? I’m not sure about this because the FAQ seems to suggest adding subdomains to the original requested certificate instead of requesting a certificate per subdomain. So the issue for server1.abcd.com, server 2, … server2500 wouldn’t be capped by the same 5 certificates per week renewal policy?

Thanks in advance for clarification.
Kind regards,

Carlo


#2

Hi @cbaijens

yes, that should work. Max. 50 new certificates with a new set of domain names. One server -> one certificate with one new domain name -> ok.

Yes, that should work.

If you add subdomains, you have a new certificate with old and new names. Then you must share one certificate -> different servers -> may be more complicated -> I wouldn’t use such a setting.

SAN-Certificates (one certificate with a lot of names) are ok, if the set of domain names is unchanged.

So later you may replace 50 certificates with one name -> one certificate with 50 names.

But if you have max. 50 new server per week, you can create 50 new certificates.


#3

It’s important to note for the renewal exemption that while renewals are not blocked by the rate limit, they do count against it. This is why it is recommended to schedule all new issuances to occur before renewals.


#4

Hi @cbaijens,

I’ll assume that we are talking about issue certificates for subdomains of your main domain, i.e. (server1.abcd.com, server2.abcd.com, serverX.abcd.com).

Yes, but, you should keep in mind that a renewal will count for that limit (there are plans to override this but in a future…). I mean, lets say you renew 50 certificates on Monday (I say Monday as an example, limits are not from Monday to Sunday but from last 7 days, it is a rolling limit), then you couldn’t issue a new certificate till next Monday, even worst, you renew 50 certificates on Monday, and another 50 on Friday… then you can’t issue new certificates till next Friday so if you plan to issue new certificates you should issue them before a renewal batch could hit the limits for that “week”.

I think so, as far as I know there is no limit on renewals, but @jsha or @cpu could clarify whether there is some high rate limit on renewals to prevent abuse.

The FAQ is suggesting to add several subdomains on the same certificate because if you add 100 subdomains in the same certificate, it counts as only 1 certificate but if you try to issue 1 certificate for every subdomain you will issue 100 certificates and all of them will count against the rate limit… and keep in mind that there is a limit of 50 new certificates per domain and 7 days.

That policy is for issue/renew the same certificate (a duplicated certificate). It means that you can’t issue the same certificate for the same subset of domains/subdomains more than 5 times in 7 days.

Maybe you should take a second look to the rate limit site and if you think it could be useful to you, then you could apply to a rate limit exception https://docs.google.com/forms/d/e/1FAIpQLSetFLqcyPrnnrom2Kw802ZjukDVex67dOM2g4O8jEbfWFs3dA/viewform but before apply, read very carefully all the doc.

Cheers,
sahsanu


#5

The applicable limit for renewals is the Duplicate Certificate limit. If you renew the same certificate five times in a week (which only really happens in misconfigurations), you’ll run into that limit. But if you need to renew a thousand different certificates in a week, that’s fine.


#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.