The new Failed Validation limit of 5 failures per account, per hostname, per hour

Issuance Policy
1

Hello,

I would like to get more information about the new “Failed Validation limit of 5 failures per account, per hostname, per hour”.

Here is my concern:

  1. Lets suppose the MyCompany Inc. starts to issue certificates on user’s behalf using the domain mycompany.com and the account john.smith@mycompany.com.
  2. 5 different users come and want to issue certificates for 5 different domains - a.com. b.com, etc. and all these requests fail.

Does that mean our account (john.smith@mycompany.com) and our host (mycompany.com) will be blocked for one hour?
I hope not and I expect that in the above scenario the combination of john.smith@mycompany.com and a.com, john.smith@mycompany.com and b.com, etc. will be blocked if more than 5 failed requests are send for these hostnames from this account?

Have I understood that correctly?

2

No.

Pretty much. You can have multiple accounts with the same email address -- the failed validation rate limit would only apply to the guilty account, not all of them.

And, to be clear, if x.example.com is rate-limited, that doesn't affect different hostnames under the same domain, like example.com or www.example.com or even www.x.example.com.

1 Like
3

And this will block it for only one hour, correct?

4

Yep! 1 hour from the first failed validation.*

  • Give or take? I don’t think it’s rounded.
1 Like
5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.