I’d like to suggest that renewals do not count against the rate limit at all.
Logic:
Currently there seems to be an enormous disparity between the effect of rate limiting on bigcorp.foo.baz and on smalluser.bigisp.abc
A big corporation can ensure that all issuing of certs happens on X-day mornings, and all renewals happen on X-day afternoons. (with X increasing by 1 each week iteration, to allow
the time-outs to kick in and allow 20 new registrations per week, as per spec.) Thus big ISP can seemingly always get an extra 20 brand new certs per week.
A small customer at a big ISP who can’t be bothered to register on the PSL, however, is stuck with hoping that they can sneak a registration in the hoped-for-slot between the time-out from 20 other customers renewing their certs in the preceding 7 day period and the next renewal.
The renewals will happen at any random time, of course, and once there get to be more than 20 renewals a week then the probability of any new users getting certs issued (or existing client holders successfully changing their cert) starts to get to zero.
If renewals did not count at all, then the extra certificates issued to bigcorp would not be affected, except the timing issue would go away, but users on bigisp would be able able to take part in the lottery to be one of the lucky 20 who got a cert that week.
For me, this’d be much better than now - my ISP gives me and the rest of their few hundred thousand customers a DDNS name (if you care to sign up for it) as part of their wonderfully low-cost Fibre-to-the-home package. But they have not bothered to get on the PSL (the DDNS is under their old dial-up domain name, which still has a landing page dated 2005, complete with SWF adverts…). There are about 22 renewals per week (including some people who seem to renew their cert every 2 weeks - maybe every time they restart their docker image?) so it doesn’t matter how carefully I check when the last-but 20th certificate was issued, the chances are high that someone renews their cert before the slot opens.
I don’t want to cause more costs for the nice guys at duckdns.org , but the rate limiting thing means I can’t use the DDNS I have, and if I ever to manage to find a slot, then I’ll probably be after a multi-domain cert for duckdns.org and my local ISP, so I can transition more easily. This all sounds like more data to be processed than necessary…
David