I am working on an Azure Resource Manager template, which will allow people to spin up VMs in their own Azure Subscription and I wanted to allow people to select Lets Encrypt as one way of setting up certificates for the machine.
According to rate limit documentation, the rate limit for azure.com (meaning all datacenters all over the world) are 20 per week.
I think my template alone will by far exceed this, but how is the rate limit working for azure.com?
One machine from one person might be myvm.westeurope.cloudapp.azure.com and another person deploying in the same datacenter might be othervm.westeurope.cloudapp.azure.com.
Can you elaborate on how rate limits are on azure.com subdomains?
Even though I am not staff, I can confirm that this is the case by looking at crt.sh and seeing that cloudapp.azure.com has already been issued far more than 20 certificates today.
Typically with the rate limit exceptions, there is still a rate limit, but it’s much higher than the default. There’s no API to query what the revised rate limit for a particular domain is. Hopefully the Azure and/or Let’s Encrypt ops folks are monitoring this so that they can adjust it if the actual utilization approaches the new limit.
Probably the rate limit that people should pay attention to in this case is the duplicate certificates limit (they can only get 5 certificates per week with the exact same combination of names). This rate limit is still imposed on domains that have otherwise received an exception. This can sometimes be a problem for people using VMs if they use the VMs in a way that doesn’t persist certificates they’ve obtained and they recreate the VM frequently.
If you have some way to make your template compatible with people using their own domain (instead of cloudapp.azure.com), you could also encourage people who already have their own domain to use that option, just because at least those users will sidestep the issue. However, the evidence that @Patches found suggests that your project by itself will probably not cause Azure users as a whole to trigger a rate limit. If you do get any report from a user that the certificates per registered domain limit (as opposed to the duplicate certificates limit) was ever reached, you can definitely bring it up with Azure support as well as here on this forum.
Thanks
I have done exactly that.
The template allows you to use any combination of azure vs. your own domain name and your own certificate vs. self signed vs. Lets Encrypt.
(And I created ~30 machines today to test whether the limit was 20 - it wasn’t:-))
I am not concerned about the 5 per week. Even though I use Docker inside the VM, the certificate created is cached and reused until it shortly before expiration, so unless people remove the VM and create the same VM 5 times a week, there should be no problem.
I hope somebody from Staff can give me an indication of the rate limit so that I know where it is.
@jsha, could you find (and disclose) the adjusted rate limit for cloudapp.azure.com, or would Let’s Encrypt prefer not to state these numbers precisely?