There’s many threads on this, dating back to many years ago, most if not all closed.
For large universities, the rate limiting system is broken. I’m an admin at tuwien.ac.at. Every department, faculty, workgroup is issued its own sub domain. So to be precise, I’m an admin for media.tuwien.ac.at. There are hundreds of other subdomains, which hundreds of other admins are responsible for. We do not talk to each other, we have no shared mailing list, we’re not even in the same building or near each other. I have no idea what they do, they have no idea what I do, and the reality is, this isn’t going to change - so we won’t be able to ho the wildcard cert path.
I’ve been happily maintaining a handful auf media.tuwien.ac.at subdomains with lets encrypt. Sofar all worked well because I guess I was one of the first admins to start using let’s encrypt. Today I wanted to fire up a new subdomain, but because someone or many other admins have started using lets encrypt to I’m barred from doing so.
For me, the logical step would be for let’s encrypt to move up rate limits for academic domains by one level. So media.tuwien.ac.at has its own limit, bar.tuwien.ac.at has its own limit, etc - because while on paper we are all one big happy family, in reality we are fragmented, and will unfortunately probably always be.
@schoen When an university have a rate limit exemption, does it apply to everything.anything.university-domain.tld or only to anything.university-domain.tld ? (in other words, it is equivalent to be on the public suffix list, or is it broader and apply to any number of sub-levels?)
I think that makes some amount of sense - effectively, treat *.edu as a Public Suffix, so each subdomain.example.edu would get its own rate limit bucket. However, as @patwww's comment points out, there are lots of university domain names that don't end in .edu.
Another approach we've been meaning to work on for a while: Changing how renewals get counted against rate limits. Right now, you can always renew (the Renewal Exemption), but those renewals do count against your overall limit. So if you control all subdomains, you'd want to cluster up renewals so that you have wide-open chunks of time where you can issue new certificates. Even in that situation, it's a pretty annoying coordination problem, and in the university case it's basically impossible. If we make it so renewals aren't counted at all, it would probably solve most of these University use cases, at least under non-malicious scenarios (your neighbors at other departments would still be able to scoop up all your rate limit for new issuances if they wanted to, but probably would not).
Yep, I totally agree it would solve a bunch of problems! And I do want to do it. The blocker has been that we rely on database queries to calculate rate limit status, and those queries need to be fast, which means they need a new field and an efficient index over that field. We have that field now and we’ve recently started filling it, so I think the next step will be to add the relevant queries and RPCs. We’re making progress, but it’s been slow.
Until then...
This doesn't really make sense to me:
A single wildcard won't cover multiple subdomains.
True, it will only cover one.
But a wildcard for "*.media.tuwien.ac.at" can cover a whole lot of names.
[until the rate limits get fixed / increased]
We’ve now changed how we handle renewal rate limiting so you don’t have to carefully order your new issuances versus renewals. This should make certificate issuance at universities significantly easier.