Rate Limits With The ACME Endpoint


#1

I have been developing a platform lately that has a component to it where my users will need custom websites managed by my platform. What I want to do is be able to add custom domain name support with a free managed ssl cert using LE.

I’m not sure how many certificates I’ll be issuing, but I want to know how many sites a single certificate can hold as one of the suggestions was to package sites into one ssl cert.

I know that Firebase Hosting uses LE to issue certificates, and I know they must get thousands of ssl requests per day, so how do they get around rate limits if there is a limit to how many sites a single certificate can use.

Thanks!


#2

#3

Using few certificates with lots of names is often not the best way to handle things, for two reasons in particular:

Issuing a certificate counts against the certificates per registered domain limit for all domains in the certificate. If you’re frequently adding and removing hostnames, you can easily eat up the rate limit for most of the domains in the certificate.

What happens when the system tries to renew a certificate and fails because, for example, one domain has expired? You would eventually have to issue a new certificate, or new certificates, for all of the hostnames minus the broken ones, before the old certificate expires.

It’s tricky to manage.


#4

Interesting, I think Google uses the method of lots of names on a single cert. The reason I think that is because when I look at my certificate I can see a bunch of other domians. I’m kind of new to LE so maybe I’m not understanding something correctly.


#5

Well, I said it was tricky, not (usually) impossible. :slightly_smiling_face:

For what it’s worth, the certificate in the screenshot seems to be: https://crt.sh/?id=620249056


#6

Interesting. Thanks for your time!


#7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.