Rate limits: fixing certs per name rate limit order of operations gotcha



This is a quick follow-up to a previous API Announcement from July 2017.

For some time now the Certificates per Registered Domain rate limit has had a “gotcha” related to the Renewal Exemption. As we mentioned on the rate limits documentation page:

the order of renewals and new issuances matters. To get the maximum possible number of certificates, you must perform all new issuances before renewals during a given time window.

As of March 8th, 2019 we’ve addressed this problem and renewals can be performed before new issuances without the renewals affecting the Certificates per Registered Domain quota remaining.


Boulder Issue #2800 details the full background of this issue. Our first attempt to address this problem used an approach that avoided applying a database migration to one of our largest production database tables. Unfortunately, as described in the corresponding API announcement we had to revert this implementation after discovering the performance was unacceptable for large ~100 SAN certificates.

The approach we are using today relies on a new database field/index, and corresponding updates to populate and use the new field. Thank you to everyone who was patient while we worked through our backlog to make room for coordinating this more involved solution. I know this was a frequent pain-point for integrators and I’m happy its now fixed :tada:

University Issue Rates
Rate limit update: removal of renewal and new-issuance ordering constraints
Error finalizing order :: too many certificates already issued