When I was testing the compatibility between Short-lived Profile and various ACME clients, I forgot to change the client’s default renewal window (30 days before expiry). As a result, it ended up issuing a new certificate every day, and today I hit a 429 error. After checking the logs, I realized I’d run into the New Certificates per Exact Set of Identifiers rate limit. Since this ACME client doesn’t support ARI yet, I’m not sure whether ARI could be used to work around this limit.
At the same time, it’s also worth considering that short-lived certificates will, by design, be reissued multiple times within 7 days. So should there perhaps be a separate rate limit policy specifically for short-lived certs?