I had a question about certificate renewals and adding new certificates. I am not a coder or very technical for that matter, but I was instructed by my host company to try reaching out here to see what I can find out.
So we are running a multisite that is currently running close to 200 subdomains that run LetsEncrpyt. We are continually adding new subdomains for our clients every week, so hitting 500 and beyond this year is VERY realistic.
I created 2 mass batches over 2 weeks to get certificates for all 200 subdomains. From this point forward it should only be a few new ones a week.
However, I read somewhere on these forums (I can’t find it now and don’t know how long ago it was), that when renewals go before adding new certificates, they count towards the weekly limits.
If renewals go AFTER they do not. But this seems like it will be very hard to manage when we come up on our first 2 batches renewal dates.
With that in mind, and if I understand this correctly, new certificates would be pushed out at least 3 weeks until the renewals ran.
Plus, if we get closer to 500 and beyond, wouldn’t that create a backlog of renewals that would make it almost impossible to add new certs?
I’m sure I’m missing some major things here but I need some feedback to take back to my host company to sort through this.
Renewals do count for the 20 certs per week per domain rate limit, yes. But there’s a renewal exemption: even if you’ve managed to the 20 certs per week limit, you actually can get a renewal certificate. You just need to have the set of domain names exactly equal to a previous certificate.
So for example, you could get 20 brand new certificates and, well, let’s say like, 100 renewal certificates on the same day. And 7 days later you can get another 20 brand new certificates.
Obviously, trouble would arise if you got like, 19 certificates, forgot about one, got 100 renewals and have to wait 7 days for that poor cert which was forgotten.
So I guess my last question is how do I most easily track when renewals are going to specifically run so that I can always process new certs before renewals hit that week?
I could see this becoming very complicated with hundreds of subdomains and would need a good system to always make sure new certs are processed weekly?
That's entirely up to you. Renewals aren't automatically done by Let's Encrypt. You'll need to run your client with the appropriate commands. For example, the certbot client has a renew option, like, certbot renew, which you can put in a cronjob. The client you're using might also have such an option.
Note: for Let's Encrypt a "renewal" is just a new certificate but now with the same domain set as a previously issued certificate. There's nothing "fancy" about such a renewal, it's just a new certificate.
If you're hosting sites on behalf of a large number of different people, you may also be eligible for a rate limit exemption like other hosting providers have received. That would reduce the pressure to optimize how you do renewals, although probably Let's Encrypt would still ask you to be thoughtful about this to avoid putting gratuitous load on the service.