SAN Certs and Ratelimiting


#1

just a question because I never read that one.

it had never been that clear how the counting of SANs with multiple domains (obviously not including sub-domains) count.
will all domains count? or will just the domain of the CN count?

counting all seems unfair in my opinon because when creating 5 SANs for 3 domains you made a lot less work than when creating 5 certs for each domain seperately.


#2

Hello @My1,

As far as I know, if you issue one cert including SANS for:

domain1.tld sub.domain1.tld domain2.tld sub.domain2.tld sub.sub.domain2.tld

Regarding rate limits… it will count as 1 cert for domain1.tld AND 1 cert for domain2.tld.

So, you only have issued 1 valid cert for 5 domains/subdomains (2 for domain1.tld and 3 for domain2.tld) but you could only issue 4 more certs for domain1.tld and 4 more certs for domain2.tld in next 7 days.

Thats what I understand regarding rate limits, maybe an official explanation on Rate Limits for Let’s Encrypt topic should be a good idea.

Cheers,
sahsanu


#3

well that is a bit unfair because, well subdomains dont count in the first place (or rather they count only once per domain and only if the root isnt already there)
because well when making 1 cert for

domain1.tld
domain2.tld
domain3.tld
domain4.tld
domain5.tld

and having added 1 to the count of EACH domain essentially adds 5 counts in total for just 1 cert.


#4

so you could create 1 san for 100 domains without falling foul of the ratelimit, unless one of those domains was used for 5 other certs that week
(aka the primary hostname of the multiuser webserver :wink: as that parent domain would likely have appeared in other san certs for other servers in the org

but that said 5 a week means 20 a month so only a potential issue (with careful planing) once you exceed 20 hosts (but if your a provider like us with access to several parent domains its 20*parent domains available so seems ok atm)
but might be worth having a list of parent domains large providers use for fqrdns names in their static address space, as customers might authenticate this within their san cert and negatively effect their providers own ability to renew their own certs within the same parent domain

not an issue for me but maybe one for large co-lo providers


#5

Is the rate limiting definitely cross account?

If I get a certificate issued for sub{1…5}.domain.tld you can’t get a certificate issued in the next 7 days for *.domain.tld?


#6

That’s correct, if you’re talking about 5 separate certificates and not one certificate with all 5 domains as SANs.


#7

Yes, this is correct. One certificate issued for domain1.tld,sub.domain1.tld,domain2.tld,sub.domain2.tld,sub.sub.domain2.tld will count towards the ratelimits as:

  • 1 under suffix:domain1.tld
  • 1 under suffix:domain2.tld
  • 1 under exact:domain1.tld,domain2.tld,sub.domain1.tld,sub.domain2.tld,sub.sub.domain2.tld

#8

Otherwise, you could always come around with the rate limit by putting each time a different (free) domain in the CN.


#9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.