Would you guys consider altering the rate limits so that duplicate issuance for ECDSA vs. RSA doesn’t count twice?
Apache 2.4 allows hosting both an ECDSA and an RSA cert from the same vhost. This is a boon for ECDSA rollout since it alleviates the fear that a client may fail to do a proper SSL handshake for lack of ECDSA support.
Of course, people who use LE and who want to do this dual-certificate setup will effectively have their rate limits halved.
So, my proposal is that, within a given rate-limit period, the issuance of a cert that otherwise would count against the rate limit be permitted if it’s a request for the same cert that’s been issued using a different key.
We’ve thought about this, and I acknowledge it’s not ideal for dual-issuance to be put at a rate limit disadvantage. However, for the most part this is only an issue with the Certificates Per Name limit, and only at first issuance. After that, renewals get covered under the Renewal Exemption, so hopefully it won’t be too much of an issue.
Can you confirm whether this is an issue that’s slowing down your issuance today, or is this more hypothetical?
It’s not affecting me directly for the time being, no. But my dev team is looking at increasing our ECDSA deployment, and I wanted to run this by you guys to see what you thought.
Sounds good. We definitely support increased ECDSA deployment. Please let us know to what extent it causes you issues, and we’ll take that into account.