Rate limit or certificate limit?


#1

We have integrated Let’s Encrypt into our control panel software product and are preparing for going live next week with you. :smile:
As we expect a large number of certificate requests, I’d like to know if there’s a certain rate limit (certificates per days per registration) or general certificates limit (certificates per registration).

Background: our ACME client creates just one registration (per server) and uses this for all authorizations and certificate requests. We’re talking about mass shared hosting and don’t see a reason why every end user should require an own ACME registration. Our software takes care to only request an authorization when the domain is actually reachable for verification, so we don’t expect errors here.


#2

there are multiple ratelimit parameters, the one you probably need most attention is the IP rate limit and I think there was an account based as well.

I think that you should search direct contact with LE (depending how they respond in here) so you can maybe ask for higher limits or similar.

one thing you could do is doing it a bit similar to couldflare and create larger SAN certs, instead of individual ones, but that has 2 issues: others that use the same key and cert are known by the certificate (possible privacy break) and obviously the point that cracking one cert opens a rather large hole in the HTTPS of your server.


#3

I know these parameters (they’re documented with the beta program), but I explicitly asked for a certificates per registration limit.

I used this support system for contact. And: we’re talking about a control panel software, so we don’t have one IP subnet which could be whitelisted (or similar identification methods).

SANs are bad as soon as they include domain names for different customers. Of course we combine a request for “example.org” and “www.example.org” into one CSR (using SAN). But it makes absolutely no sense to combine requests for “customer1.com” and “customer2.com” into one certificate.
And finally: we use different private keys for each and every single certificate. We only use one registration (“ACME account”) for submitting the authorization and certificate requests.


#4

well the panel does run on your servers doesnt it?
and the server(s) running the Panel and/or client have IPs dont they?

yeah I get why combining the customers isnt a thing you like, it was just an Idea and I did point out that it has its flaws.

I also get that you use 1 acme acc for the certs.

well that is a system but maybe for this a more direct contact may be needed so not everyone can waltz right into the conversation.


#5

Yes, the servers do have IPs. :stuck_out_tongue: But we do not run it on our servers, our customers are running it on several thousand own servers. Like Plesk (just better, of course ;-))
Some of them configure only a few domains, others configure thousands of domains with our panel. This leads to the question of a certificate/IP limit.

I can imagine that the folks at LE have enough to do right now, so I don’t want to disturb them with my humble question (at least not now, as this is currently uncritical). Other users rolling out LE might also be interested in any limits for mass hosting scenarios.


#6

If it’s self-hosted, why would anyone register thousands of domains on a single server?


#7

Èvery web hosting provider does so…


#8

yeah shared hosting/web hosts with control panels like plesk, directadmin, cpanel and interworx


#9

so essentially if each server runs his own panel it can also run its own LE client then at the very least the per IP and (assuming there is) account limit can be circumvented partially.


#10

I’m afraid you haven’t understood my question correctly.
Imagine one shared hosting server with let’s say 1.000 domains (assigned to 500 customers). This one server has one IP. We use one ACME registration to request 500 certificates (all with two SANs: with and without “www.” subdomain).
So I’m interested if we might reach any limit here. We don’t hit the “registrations per IP limit” (as we have only one registration) and we don’t hit the “domains per certificate” limit (every cert has only two domains).


#11

I wasnt sure so I said that if it wasnt done the way you are doing it already then you could do it that way.

but we really need someonne from LE on this because that info is something they have…


#12

You will hit the “300 registrations per account per week” limit if under one account if the server gets more then 300 pending registrations in a week. I would like this limit removed for this reason Remove 300 registrations limit


#13

Is this limit about 300 registrations or 300 pending registrations?
If pending, then this shouldn’t be no problem for our users (as long as we don’t request >300 certs within 5 minutes ;)).


#14

300 registrations (no matter the outcome)


#15

Well, the official docs say something different:

Pending Authorizations/Account limits how many times an ACME client can request a domain name be authorized without actually fulfilling on the request itself. This is most commonly encountered when developing ACME clients, and this limit is set to 300 per account week. Please utilize our staging environment if you’re developing an ACME client.

There is no limit to the number of certificates that can be issued to different domains.


#16

This is a little ambiguous “how many times an ACME client can request a domain name be authorized without actually fulfilling on the request itself”. I just tested by fulfilling one of my pending verification requests and I still couldn’t do any more registrations. So right now it means any pending requests whether it is fulfilled or not.


#17

Either way don’t you think this limit is unnecessary?


#18

If pending is defined as;

Then I think it’s a perfectly sensible limit. As I read it, if a client keeps requesting a single domain name be authorized, more than 300 times a week … for the same domain. Yes I’d put in the rate limit. I can’t think of any logical reason why someone would want to ask for the same domain name more than 300 times ( unless they were testing, or should be testing, in which case it should be done on the test / staging environment)


#19

It’s clearly defined what pending is. It’s a little ambiguous, because it doesn’t say if invalid attempts count, too.

How did you do that? Did you save all the tokens and challenge URIs?


#20

Yeah I saved all of them. Did 300 requests previously to see if the limit was still there and kept all the tokens & url’s