Hey there!
Question: Am I going to hit rate limits?
Here’s the steps I’m going to perform
- I’m only dealing with a single domain.
- Assuming I create 10 different SAN certificates (for 10 different subdomains).
- Then I adjust the list of covered hosts up to 10 times per day.
- Adjusting means: I fill the SAN up until it holds 100 hosts. As soon as the list holds 100 domains I start dropping one at a time before adding a new one to reduce the number of requests to LE.
- The domains I add or remove are always going to be subdomains of the subdomains of step 2, so I’m pretty sure my 10 certificates in total have not a single overlap.
Do this a SAN adjustments count as renewals or new certificates?
Which rate limit is to be expected?
Expectation
If I get the your rate limits policy right, I’d expect to have only 10 creations on the very first minute, which doesn’t hit a rate limit. After that it’s all renewals, so no rate limit here as well. Even if I do that 10 times a day per all of those 10 certificates (doing 100 requests to LE, 10 for creating and 90 for increasing the domains list), that’s all within the allowed limits.
Please correct me if I’m wrong.
Here’s the details about my project:
- We’re a company of web developers.
- Each developer has his own environment *.${employee}.mycompany.wtf.
- When a developer starts working on a project, he creates a virtual machine ${project}.${employee}.mycompany.wtf.
- Of course there are a couple of virtual machines per project, but they don’t need certificates, hence are not important for this question.
- In regular sized projects, there are mltiple CNAMEs for different all pointing to a single web server.
- Those CNAMEs sometimes are devisions of our project, simulated CDN hosts and so on.
This sums up to being *.${project}.${employee}.mycompany.wtf.
A regular example would be:
- project.goli.mycompany.wtf
- cdn.project.goli.mycompany.wtf
- styleguide.project.goli.mycompany.wtf
- europe-division.project.goli.mycompany.wtf
- american-division.project.goli.mycompany.wtf
- there’s projects with 30 divisions
We intend to create a single SAN certificate per employee.
Per default, this certificate is to be issued to ${employee}.mycompany.wtf (primary domain) and holds *.${employee}.mycompany.wtf to cover all small projects.
We keep track of a list of our regular sized projects. That can be automated since every virtual machine connects to a central puppet environment. I easily can tell what’s the last 50 projects we had up and running in our company just by grepping the puppet logs.
This list gets used to add the last 98 projects as *.${project}.${employee}.mycompany.wtf to the SAN.
We’re going to set up a central certification host that keeps track of all the recent project names, knows our DNS API keys and provides our projects with valid certificates once a day.
So. Am I going to do something completely wrong? Is this going to work or will this hit every possible rate limit?
Regards,
Stephan.