Temporarily up orders rate limit due to manual error, thousand of websites down :(

Hi Let’s Encrypt team, I hope that you are all doing well and that you are all safe!

We currently have an issue and may need your help : due to a manual error, our Kubernetes production namespace have been wiped down. It’s back to normal now but most of our customers websites are still down due to the rate limit of 300 new orders per 3 hours. We have around 1000 websites. Is there any chance to temporarily, due to those extreme circumstances, up this rate limit for let’s say 1 hour ?

If not, do you have any advice to speed up the reissuing of a thousand certificates?

Thank you really much for your time!

Regards

1 Like

IIRC that limit was per ACME account, make some new accounts (like 10, as there is acme account per ip address rate limit too) to speed up process

2 Likes

Thank you @orangepizza for your quick reply, that is precisely the workaround we are using here and it’s working!

But we are thinking about the renewal of this batch of almost 900 domain names in like 90 days : if I recall well the rate limit does not apply for a renewal (so all good here), but what about the account linked to the original order ?

If I set up my original account again, in 90 days when requesting a renewal with the email / private key that did not ask the original order : do you know if Let’s Encrypt will consider it as a new order, or a simple renew ? I am really curious to know.

Have a great day!

1 Like

The new order API is always used when issuing certificates, whether renewing a previous certificate or creating a totally “new” one, and the new orders rate limit always applies.

Does your ACME client have a convenient way to schedule the big batch of renewals over a larger period of time? Maybe it does so automatically?

For example, with the client I usually use, it renews certificates every 60 days by default, but I could edit the configuration files so that some certificates renew after 59 days, some after 61, etc…

The question is what flexibility the software you’re using offers.

2 Likes

Thanks to both of you @orangepizza and @mnordhoff

Given that renewals will start in 60 days and all this certificates batch will expire in 90 days you are right : the retry scheme in our client should be able to renew all of them in around 12 hours straight (300 each 3 hours). We add monitoring too (regarding the orders rate limit of our main account) in order to check that all will work well.

I wish both of you a great day! Take care

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.