Will raised rate limit be restored if issuance rate has been low?

About a year ago, we requested to raise rate limit for our account and was granted.

We continued to develop on our project without issuing many certificates using LE’s production directory.

About two days ago, we start experimenting with the production directory, and hit the rate limit pretty quickly. The error message initially said we created new orders too frequently, and once that rate limit passed it said too many certificates already issued for exact set of domains.

Issuing certificates for the same set of domains was a mistake on our part, and is currently being addressed.

But this rate limit was hit with very low number of certificates being issued, and we have verified that the account hitting the rate limit is the same one that has its rate limit raised.

A few questions:

  1. Is our rate limit restored?
  2. Will rate limit be restored with long period of low issuance rate?
  3. Is it possible to check the rate limit for an account?
  4. What rate limits are raised exactly? We believe the number of certificates per registered domain will definitely be raised, but what about the number of new orders per 3 hours?
  5. Is the number of certificates issued for the same set of verified domains always rate limited?
  6. Is the rate of revoking certificate also rate limited? The official doc mentions the request rate limit, but what about actual revocations?

We can provide the account number to help investigate. Is it safe to disclose it here or a more private channel should be used?

1 Like

Which exact limits did you get raised? You should have received an email listing each one, e.g:

Our weekly limit on certificates issued for your ACME v2 account ID: <account ID here> has been increased to <N> failed validations per hour and <M> new orders per 3 hours.

Thanks for using Let’s Encrypt and making the Web more secure!

You can post your account ID, it’s just a number. Someone from @lestaff can then check it.

2 Likes

The New Orders rate limit was added as part of the ACMEv2 API. (The ACMEv1 API worked slightly differently and didn’t have orders.) Hypothetically, maybe your rate limit increase was done before the New Orders rate limit was invented, and maybe you’re using the default?

I believe not. There’s obviously not a documented one. Wouldn’t shock me if there was a very high limit, though. Revocation is important, so a CA can’t really limit it much.

3 Likes

This very thing has happened often - rate limit adjustments in the past but not for the new orders rate limit. If you are not comfortable posting your ACME account ID here (these are non-identifying numbers but people still don’t like to publish them), feel free to DM it to me! Happy to check.

Also, if you received a rate limit adjustment confirmation from me (Jenessa), you can also reply to that with your ACME account ID.

Best,
JP

5 Likes

@_az @mnordhoff I took a closer look at the confirmation email, and it said the weekly limit of certificates issued for our ACME account had been raised, but nothing about new orders. I’ve already sent a DM to @jple. Thanks for the help.

But we are still wondering about question #5. Once a set of domains are verified, Is repeated issuing certificates for them always rate limited? Is it orthogonal to the certificates per registered domain or new orders rate limit? Is the threshold documented anywhere?

1 Like

Indeed they are sepearate.

Even if your Certificates per Registered Domain limit for example.com is set to 5000/week, you can only issue the exact certificate of test.example.com at most 5 times per week, due to the Duplicate Certificate limit.

Do you mean https://letsencrypt.org/docs/rate-limits/ ?

3 Likes

Ah, its right there in the middle of the article, sorry for missing that.

Thanks.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.