Renewal Limitations

We will soon have created 160 subdomains for our domaian, and we create an SSL-certificate for each and every one of them. While doing so we occationally bump into the limit of 20 new certs per week, so we need to slow down our development at times.

Question: Are there weekly limits also for RENEWING those 160 certs?

I see the following three sentences that gives a mixed message, hence my question:

https://letsencrypt.org/docs/rate-limits/

  • We also have a Duplicate Certificate limit of 5 certificates per week.
  • To make sure you can always renew your certificates when you need to, we have a Renewal Exemption to the Certificates per Registered Domain limit.
  • Renewals are still subject to the Duplicate Certificate limit.

Best regards
Chris

You’ll be able to continue renewing your certificates.

Your first 20 certificates a week can be new (i.e. cover a unique set of hostnames) or renewals (i.e. cover the same names as an existing certificate).

After that, you can continue issuing certificates that are renewals, but not new ones.

You’ll always be prevented from issuing more than 5 identical certificates per week. But in the situation you described, you would never issue multiple identical certificates in a week, so it doesn’t matter.

The rate limits would be less painful if you combined multiple names into fewer certificates. You can cover 200 names with 2 certificates.

Thanks for the swift explanation!
Does anyone have a good link for reading up on “multiple names into fewer certificates” wrt Letsencrypt?
When googling I get lost in numerous side-tracks…

We'd have to know more about your environment and client to say anything specific. Most clients should make it easy.

For example, if you're using Certbot, instead of running it once with "-d a.example.com" and a second time with "-d b.example.com", you can do it once with "-d a.example.com -d b.example.com" and so forth.

So if our bots conclude we need to renew 16 out of our 160 certs in a given week, we can only produce 4 new ones.

Since one customer equals 7 certs in our setup, that means we cannot launch a new customer that week.
Interesting limitations hiding in the details here... Perhaps you could spell out them more clearly in the official documentation?

It depends on the order of events. If you issue the new certificates first, you can issue 20 new certificates. If you issue the renewals first, you can issue 4 new certificates.

  • Tuesday: 1000 renewals.
  • Thursday: Can't issue any new certificates. :anguished:

Or:

  • Tuesday: Issue 20 new certificates.
  • Thursday: 1000 renewals!

(Of course, it's a rolling number: the limit decreases 7 days after a certificate was issued; it's not like it resets to 0 on Sunday.)

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.