The main limit is Certificates per Registered Domain , (50 per week).
How is that rate limit duration calculated? Is it 1 week's worth of milliseconds, starting at the moment the limit is hit? Or does it last until the end of the day 7 days from now? Or, less likely but still possible, do we get a weekly quota that resets at the same instant in time each week?
EG. If I hit a rate limit at 1:00pm on Monday Dec 3rd, which of the following describes the exact moment in time that I will be safe to try again?:
1:00pm Monday Dec 10th
12:00am Tuesday Dec 11th
Some other fixed time, prior to 1:00pm Monday Dec 10th, when all weekly limits reset
Some other time I haven't considered
I need to know because we hit these rate limits often and I've built intelligence into our system to track when a Registered Domain is rate limited and stop attempting SAN certs that contain the limited domain. I need to know when my system is safe to begin attempting them again.
It's a rolling window. So it's a week's worth of milliseconds, but that's not a week from when the limit was hit - it's a week from when the first certificate that's contributing to the limit was issued.
For example, if you issued 10 certificates at 1pm every day, you would reach the limit on day 5 and would not be able to issue on day 6; but after 1pm on day 7, the first 10 certificates would no longer have been issued in the past week, so you could issue 10 more certificates at that point, before hitting the limit again.
nothing of these is correct. If you hit the limit at 2018-12-03, 13:00, that means, you have created 50 certificates between 2018-11-26, 13:01 and 2018-12-03, 13:00.
But that means it's possible that you have created 49 certificates between 2018-11-26, 13:01 and 2018-11-26, 13:10, the last ~~ one week later.
So you can create the next certificate a few seconds later. Or ~~ a week later.