I’m a bit confused by the letsencrypt rate limits document; https://letsencrypt.org/docs/rate-limits.
Specifically, as it relates to Duplicate Certificate limit of 5 certificates per week and Renewal Exemption to the Certificates per Registered Domain limit.
So let’s say I am a web hosting company and I request letsencrypt for a SAN certificate that has 100 names in the certificate. Now lets say, I deploy this
certificate to 100 different servers. I also add a script to all those 100 servers to auto-renew the SAN certificate after 80days.
So my question is:
Will all the 100 renewal requests succeed or will only 5 of them succeed?
My understanding is that all of the renewal requests will succeed, because renewals are not blocked by this rate limit. Until recently, after the first 5 renewals you would be unable to issue new certificates for that set of domains, but I believe they’ve reorganized how that’s handled a bit.
But from the doc: Renewals are still subject to the Duplicate Certificate limit
That assertion in the rate-limit docs seems to contradict what you are saying.
English is not my first language so maybe I’m reading the documentation wrong.
As an aside; the language in the rate-limit doc sounds legalese-like
If each of your 100 servers tries to renew the same SAN certificate, with the same 100 names, then each attempt will generate a new and different certificate for the same set of names. This will indeed hit the rate limit once 5 such certificates have been issued.
Instead you should renew the certificate once, and distribute the renewed certificate to your 100 servers the same way you did when you issued it originally.
Whoops, it was definitely too early when I read this. Yes, the identical certificates will hit this limit. Renewals only avoid the certificates per registered domain.