I am working on an Azure Resource Manager template, which will allow people to spin up VMs in their own Azure Subscription and I wanted to allow people to select Lets Encrypt as one way of setting up certificates for the machine.
According to rate limit documentation, the rate limit for azure.com (meaning all datacenters all over the world) are 20 per week.
I think my template alone will by far exceed this, but how is the rate limit working for azure.com?
One machine from one person might be myvm.westeurope.cloudapp.azure.com and another person deploying in the same datacenter might be othervm.westeurope.cloudapp.azure.com.
Can you elaborate on how rate limits are on azure.com subdomains?
I would guess that
cloudapp.azure.com has been given a rate limit exclusion by Let’s Encrypt and is not subject to the published rate limits.
Staff would be able to confirm whether this is the case.
Even though I am not staff, I can confirm that this is the case by looking at crt.sh and seeing that cloudapp.azure.com has already been issued far more than 20 certificates today.
Typically with the rate limit exceptions, there is still a rate limit, but it’s much higher than the default. There’s no API to query what the revised rate limit for a particular domain is. Hopefully the Azure and/or Let’s Encrypt ops folks are monitoring this so that they can adjust it if the actual utilization approaches the new limit.
Probably the rate limit that people should pay attention to in this case is the duplicate certificates limit (they can only get 5 certificates per week with the exact same combination of names). This rate limit is still imposed on domains that have otherwise received an exception. This can sometimes be a problem for people using VMs if they use the VMs in a way that doesn’t persist certificates they’ve obtained and they recreate the VM frequently.
If you have some way to make your template compatible with people using their own domain (instead of cloudapp.azure.com), you could also encourage people who already have their own domain to use that option, just because at least those users will sidestep the issue. However, the evidence that @Patches found suggests that your project by itself will probably not cause Azure users as a whole to trigger a rate limit. If you do get any report from a user that the certificates per registered domain limit (as opposed to the duplicate certificates limit) was ever reached, you can definitely bring it up with Azure support as well as here on this forum.
I have done exactly that.
The template allows you to use any combination of azure vs. your own domain name and your own certificate vs. self signed vs. Lets Encrypt.
(And I created ~30 machines today to test whether the limit was 20 - it wasn’t:-))
I am not concerned about the 5 per week. Even though I use Docker inside the VM, the certificate created is cached and reused until it shortly before expiration, so unless people remove the VM and create the same VM 5 times a week, there should be no problem.
I hope somebody from Staff can give me an indication of the rate limit so that I know where it is.
@jsha, could you find (and disclose) the adjusted rate limit for cloudapp.azure.com, or would Let’s Encrypt prefer not to state these numbers precisely?
I will message @freddydk directly to resolve, thanks so much @jsha for letting me know about this!
it looks like there are some other azure domains on the public suffix list too.
i don’t know how they’re allocated or if they could be good alternates but…
// Microsoft : http://microsoft.com
// Submitted by Barry Dorrans <email@example.com>
Those domain names are used for other purposes and cannot be used from Azure Resource Manager Templates.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.