Rate limits - many domains, no subdomains

Issuance Policy
1

Hi,
We are looking for the following scenario:

  • Many domains (possibly hundreds of new domains in a day)
  • No subdomains
  • Separate certificate for each domains

What are the rate limits applied to this scenario?
The limits specified does not seem relevant to our scenario:

  • 20 Certificates per Registered Domain per week - Not relevant, since we are not using sub-domains
  • 100 Names per Certificate - Not relevant, since we do not want several domains in the same certificate

Can we manage that from a single account? create many accounts?

Thanks,
Lior

2

Yes, and that is stated as recommended (see below).

Yes (see account creation limits below).
When using IPv4, the limit comes out to 80 per day (probably lower than you require).
When using IPv6, the limit comes out to 4000 per day - which should be more than enough.

From (Rate Limits - Let's Encrypt):
You can create a maximum of 10 Accounts per IP Address per 3 hours. You can create a maximum of 500 Accounts per IP Range within an IPv6 /48 per 3 hours. Hitting either account rate limit is very rare, and we recommend that large integrators prefer a design using one account for many customers.

3

https://letsencrypt.org/docs/integration-guide/ also has some very useful information on the topic.

Generally, it’s better to stick to a single ACME account if you can.

1 Like
4

Thanks for the quick reply!
So is there any limit to the number of different certificates (not subdomains, not SAN) I can create in a day/week?

5

Not really.

Technically yes.

You're not missing anything on the rate limits page: It's totally fine to get thousands and thousands of certificates for different domains.

Some of the rate limits are relevant, like the HTTP request per second limits, or the pending authorizations limit, and the ACMEv2 new orders per 3 hours limit.

6

I think that is the whole point of LE.
To provide certificates (privacy) freely to the masses.

7

Great, got it, thanks!

8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.