Rate Limit for GCP

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:ondemand.com

I ran this command: Configuring GCP managed certificates in Global HTTP(S) Loadbalancer

It produced this output:429 (rate limit exceeded)

My web server is (include version): I don’t Know what GCP is using

The operating system my web server runs on is (include version): I don’t Know what GCP is using

My hosting provider, if applicable, is: SAP’s domain (ondemand.com) on GCP for IaaS

I can login to a root shell on my machine (yes or no, or I don’t know):I don’t Know

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):I don’t Know

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):I don’t Know

Issue background:
We are working to enable Google Cloud Platform as part of our infrastructure.

To leverage the GCP’s managed certificates option, as we were testing, we observed that the LB configuration with managed certificate request was getting failed and started working after few days. We were told by GCP’s support team that it is due to the Let’s Encrypt (rate limit - 50 cert requests per week) as we see in public documentation too.

As we checked with other teams within SAP, they are using a special account of Let’s Encrypt which has this limit extended over a period of time(atleast thousands of certificates every week) for the same registered domain that we are trying to sign. (ondemand.com)

GCP cert team has confirmed that they can’t help here as the limit could be increased only by either Let’s Encrypt team or from the SAP side and they are only relaying. Our doubt is, if one team can sign 1000+ certificates for the same registered domain then how could it be that the issue is on SAP domain side? Not sure . Could you please guide us to check how we can gather more precise details on what’s the rate limit for the account that GCP is using and for our domain in particular. We can open a support ticket to GCP and involve GCP’s cert team if more technical details are required.

Knowing this limit and understanding better helps us to estimate the potential delays in configuring LBs. If you have a different channel to support us, please direct us.

Regards,
Arun

Hi @arun.jothi

there are different rate limits. The exact error message is required.

Read

Then you should use the test system. There is an own, higher limit.

Which limit? The 5 identicals or the 50 certificates per domain?

But tests -> use the test system.

The first link contains a form:

If you are a large hosting provider or organization working on a Let’s Encrypt integration, we have a rate limiting form that can be used to request a higher rate limit.

I think fundamentally, if you are already using an ACME account that has a rate limit exemption for a specific registered domain (ondemand.com), then any other ACME account that issues for that registered domain needs to be granted the same exemption.

Otherwise, the GCP ACME account will be pointlessly contending for a resource that it has no hope of acquiring.

Are you able to get the account ID being used by the GCP LB and apply for an additional rate limit for your domain? Or otherwise, is GCP able to use your existing ACME account?

This situation does seem a bit complex. It is possible that Let’s Encrypt might be able to alter the rate limit for ondemand.com globally, so that the requester account does not matter. But you might need to apply for it and see how they respond.

Hi @JuergenAuer,

Thanks. Test accounts may have higher limits but the rate limit is not limiting our testing. The reason we are not using test accounts here is to identify such limitations for our production customers and how we can manage the delays

Hi @_az,

Thanks. Agree and make sense. Let me check with GCP certs team on if they could request for exemption (for our domain) for their account.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.