Why PSL limit at TLS not reached


#1

Hi,

I am new at Let’s Encrypt and I read a lot about it. Now I saw the limitations of requesting certificates. This concept is implemented over the PSL. But now I have two questions:
Why are there such limitations? Is it to prevent DoS-attacks?
And the secone one, .de is a suffix, too, right? So why is it possible to request for .de more than 20 certificates per week? For instance, a.de, b.de, c.de and so on. If I would request more than twenty certificates for ddns.net, the limit would be reached quickly.

Thanks in advance :slight_smile:


#2

Please see the documentation on rate limits - https://letsencrypt.org/docs/rate-limits/ (which includes information on defining the registered domain.


#3

Oh you are right, I overread, this, sorry. But then I don’t understand, why it is not possible to register more than 20 .ddns.net-domains (DynDNS-Provider)?
A registered domain is, generally speaking, the part of the domain you purchased from your domain name registrar.
So a.ddns.net would be a registered domain? So I can only register twenty of *.a.ddns.net, is this right? Or is there a diffrence to a normal .de-domain?


#4

There is a current limit of 20 Certificates per Registered Domain per week.

so “a.ddns.net” is a registered domain - hence there is a limit of 20 certs/week for subdomains of “a.ddns.net

where “generic.de” as a registered domain, there is a limit of 20 certs / week for subdomains of “generic.de

there is no limit on domains “*.ddns.net” as “a.ddns.net” is a different Registered Domain to “b.ddns.net” in the same way as myco.com is different to yourco.com.


#5

Ok nice answer, thanks!
And why is the limit? Is it because of DoS-attacks?


#6

No, The different limits are in place for different reasons, but none of those limits are specifically DoS attacks.


#7

Could you write a brief reason for the limits, specially for the 20 certificates per domain per week. I can not imagine why this limit it set :frowning:


#8

My understanding on your other question is that you are writing a thesis on the topic. I’m not sure I want to write your thesis for you :wink: If you research the question a little on these forums you will find the answer.


#9

Yeah, you are right, you should not write my thesis :wink:
But I thought you could give me some indication for this point, so I could research for that :slight_smile:


#10

The question has been asked, and answered before …


#11

As @serverco (Thanks!) said it isn’t about Denial of Service attacks.

We implemented rate limiting because (like any service!) we have a fixed capacity available to us and a large pool of users to share that capacity :slight_smile: Rate limits are there to make sure no one user is taking more than their fair share of our capacity for themselves. For Let’s Encrypt our capacity is primarily a product of our Hardware Security Module (HSM)'s rate of signatures per second & the number of OCSP responses we need to keep updated (which itself is a product of the number of active certificates we’ve issued).


#17

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.