Where is the rate limit exemption request form?


#1

From Googling I heard a lot of people mention that there is a rate limit exemption request form that came out or was coming out in January, but I couldn’t find any links to the form itself.

I’m building a free p2p hosting CDN service where anyone can CNAME their domain to my service’s domain to use my p2p features on their site, and I would like to submit a request to the rate limit exemption form so that users can keep using TLS, automatically provisioned by Let’s Encrypt and managed through my server. The PSL would not apply, as site owners can use any domain with my service. My situation is similar to WordPress custom domains.


#2

Wordpress customers don’t get an exemption, they simply get a certificate for whatever domain they’ve applied for.

If they’re using a mydomain.wordpress.com site, again it’s not because Wordpress is exempt from limits, it’s because wordpress.com is on the known suffix list. That means “wordpress.com” is treated the same as “com.au” or “co.nz”.


#3

I’m not referring to the PSL.

I am referring to WordPress’s custom domain functionality (i.e. WordPress hosts everything on your own domain), and WordPress does get an exemption as evident on https://en.blog.wordpress.com/2016/04/08/https-everywhere-encryption-for-all-wordpress-com-sites/ where they say they are rolling this out for their “million-plus custom domains”. I don’t expect millions of domains to use my service, but I will definitely have many more domains being used than the rate limit will allow.

WordPress’s custom domains situation has similar implications to the functionality that my p2p CDN is providing. I currently have to proxy /.well-known/acme-challenge/* back to the client’s origin site and ask them to run Let’s Encrypt and share their keypairs with me. My service is registrationless for the free tier, so this adds quite a lot of complexity for my users when I could instead simply be doing the Let’s Encrypt challenge myself.


#4

Nowhere in your link does it say they get an rate limit exemption. I don’t even see that being implied.

Hopefully @pfg, @jsha or @schoen can better explain it for you, but to the best of my knowledge, nobody is exempt from rate limits. I’m guessing wordpress.com is on the suffix list, and the other (non-wordpress.com) domains have their own LE account each. Your account info is under the letsencrypt/account directory (if using certbot).

Seriously, search this site for info about getting on the suffix list, that’s your best bet.


#5

No, they just have a wildcard cert for those.


#6

:open_mouth:
You mean we can get wildcards!?!? I didn’t think that was coming for a very long time! (If ever!)


#7

They say that they’re using Let’s Encrypt, and that they have over a million custom domains (that’s the non-wordpress.com domains). They don’t have a million different IP addresses, which implies that they aren’t being rate limited. They also mentioned that they reached out to Let’s Encrypt.


#8

The IP address rate limits should not be a huge roadblock, as it only applies to registrations and is set to 500 per 3 hours. I’m not sure if you’re planning to run the client from your user’s IP or from your own, but even if it’s your own address, that would allow you to issue thousands of certificates if you share registrations across multiple domains, or at least 500 new domains per 3 hours if you’re going to do one registration per domain.

There’s currently no public rate limit exemption form because the team has yet to figure out how to handle the applications in a way that doesn’t cause too much work and is fair to users. No ETA right now.


#9

Note: The relevant question in WordPress.com’s case is not the number of IP addresses but the number of certificates per registered domain. See Rate limits for Let’s Encrypt for details of how the limits work. Also check out the Integration Guide. I think in your case you will probably not need any overrides, assuming you use a single account.

Also, to be clear: No one is exempt for rate limits, but we do have an ad-hoc method to increase rate limits on a per-account or per-registered domain basis. We’re still figuring out how to scale that process, as @pfg said.


#10

Alright, thanks for the info. My service hasn’t launched yet, but once it does launch I will most likely exceed the 500 domains per 3 hours IP address rate limit for the first week. I definitely won’t need a limit exemption after that, but I still would like my launch to go smoothly. @jsha Is there a specific email address I should contact prior to launching my service to ask for a temporary one-week rate limit increase? I expect at least ~1000-2000 domains per 3 hours during the first launch week, though it is hard to definitively gauge interest with the data I’ve collected so far. It’s very likely that I will exceed the 500, and pretty much guaranteed to happen for the first launch day.

(Btw, this isn’t urgent. I won’t be launching for about 4 months)


#11

To clarify: It sounds like you are thinking of this rate limit:

Registrations/IP address limits the number of registrations you can make in a given time period; currently 500 per 3 hours.

Note that you do not need to create a new registration (aka account) for every certificate you issue, and in fact it’s better not to (see the Integration Guide). If you create one account and use it for all your certificates, you won’t run into this particular limit at all.

Does that resolve your issue?

Thanks,
Jacob