
Rate Limits - beardicus
https://letsencrypt.org/docs/rate-limits/
======
eximius
For everyone that complains about Let's Encrypt, I just want to state that
Let's Encrypt solves the single largest use case for issuing certificates for
domains - a single server you control which hosts one (or more) website(s).

All of these issues with 3 month certs, rate limiting, and limited
certs/domain stem from much more complicated problems and it isn't fair to
expect Let's Encrypt to tackle those.

~~~
dsr_
And unless something really odd is happening, a small server owner will run
into these problems when first setting up your LE certs for automated renewal
and not any time thereafter.

~~~
sdoering
That is something I do not see in my own (n=1) experience. The only problem I
had was with a poorly written crontab entry, that was totally my fault.

Setting up my 5 domains, hosted on one small (virtual) server instance was
just a breeze. Esp. compared to my former experience with StartSSL.

And now, with a cronjob doing auto renewal everything is solved. So for me at
least Let's Encrypt just made life better.

~~~
sbarre
This was also my scenario.. 10 domains, one virtual server..

It took me about 45 minutes from "never done this" to "all sites done with a
cron job for auto-renewals".

The final thing I did once everything was set up was donate to the project.

------
bcoates
I'll bite: sliding windows are a pain, if you hit them by accident they result
in a weird self-DoS. Why not token bucket? It's a simpler algorithm to
implement and less pain for the client.

If I'm unaware of these limits and use them up all at once, I'm locked out for
a week instead of having to wait 1/rate to issue just one more.

~~~
j4cob
(Let's Encrypt engineer)

Token bucket is a good idea, and I agree that it would make the user
experience of hitting rate limits less onerous. We implemented sliding windows
because they were straightforward to implement based on our long-term database
state. I'll do some thinking about whether we can emulate a token bucket style
on top of that without having to add another source of truth for rate limit
information.

~~~
nickpsecurity
Has anyone published something about the performance, scaling, and price of
your HSM's? I'd like a link to it if it's available.

------
nstj
Letsencrypt is really a fantastic project. I can (sorta) understand why people
might squeal about 90 day cert lifetimes, but just wanted to put it out there
that I think that LE makes the internet a better place. @jaas adding to this
thread and providing context on the decisions they made is really is just the
icing on the cake :)

------
eCa
This thread would've made a much better example for the "users you don't want"
article[1] than disabled children. It is not reasonable to expect a free
service to solve all certificate related problems.

On the other hand, it shows, yet again, how dysfunctional the certificate
industry is.

[1]
[https://news.ycombinator.com/item?id=12306284](https://news.ycombinator.com/item?id=12306284)

------
walrus01
I really don't see what problem people are having with the 'official' certbot
CLI client. It's very straightforward.

Even if you're not allowing it to directly mess with apache2 or nginx
configuration files and want to run it in standalone mode. For example to get
a certificate for my 'test' environment public facing smtpd:

sudo ./certbot-auto certonly -v --standalone --standalone-supported-challenges
http-01 -d mail.mydomainname.us

The results:

\- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/mail.mydomainname.us/fullchain.pem. Your cert will
expire on 2016-08-17. To obtain a new version of the certificate in the
future, simply run Certbot again. \- If you lose your account credentials, you
can recover through e-mails sent to myname@mydomainname.us. \- Your account
credentials have been saved in your Certbot configuration directory at
/etc/letsencrypt. You should make a secure backup of this folder now. This
configuration directory will also contain certificates and private keys
obtained by Certbot so making regular backups of this folder is ideal.

Now we have three files, the certificate itself, the certificate itself and
the full chain, and the private key:

/etc/letsencrypt/live/mail.mydomainname.us# ls -alh total 8.0K drwxr-xr-x 2
root root 4.0K May 19 14:36 . drwx------ 3 root root 4.0K May 19 14:36 ..
lrwxrwxrwx 1 root root 42 May 19 14:36 cert.pem ->
../../archive/mail.mydomainname.us/cert1.pem lrwxrwxrwx 1 root root 43 May 19
14:36 chain.pem -> ../../archive/mail.mydomainname.us/chain1.pem lrwxrwxrwx 1
root root 47 May 19 14:36 fullchain.pem ->
../../archive/mail.mydomainname.us/fullchain1.pem lrwxrwxrwx 1 root root 45
May 19 14:36 privkey.pem -> ../../archive/mail.mydomainname.us/privkey1.pem

~~~
jontro
I had a few issues debugging the callbacks fired for letsencrypt-auto (i.e.
how --post-hook and --renew-hook) works.

Almost hit the limit before I got it working

~~~
pfg
You can use the --test-cert or --dry-run flags for this purpose. The former
just makes the client use the staging server (which has higher rate limits),
while the latter uses the staging server to simulate renewal, stopping short
of actually storing the staging certificates (in other words: ideal for
testing renewal in production).

~~~
jontro
The dry run flag didn't trigger the hooks, didn't think about the --test-cert
flag, would've been helpful! Thanks

------
michaelt
I wish they didn't have the limit of 20 certs per registered domain.

There are a lot of use cases this blocks - Plex's use case [1] where they
issued certs for all their users; large organisations (I'm sure there are more
than 20 sites run under .mit.edu sites by different teams who wouldn't want to
share multi-name certificates); and of course using ISP-assigned hostnames
like host86-186-141-3.range86-186.btcentralplus.com (admittedly there are
other reasons LE might not want to issue certs for that final case).

Does anyone know the reason for that limit? It seems quite low considering
they allow 500 certs per IP address and 300 pending authorizations at a time
:)

[1] [https://blog.filippo.io/how-plex-is-doing-https-for-all-
its-...](https://blog.filippo.io/how-plex-is-doing-https-for-all-its-users/)

~~~
pfg
The signing capacity of the HSM (or possibly HSMs, I'm not sure) holding the
intermediate certificate is limited. These devices are quite expensive, so
it's not _that_ easy to scale this resource. In comparison to that, a pending
authorization is just a row in some table, so that doesn't take up too many
resources.

For use-cases like Plex (or generally things that require a large number of
subdomains), there's now a form you can use to request rate limit
adjustments[1].

[1]:
[https://docs.google.com/forms/d/e/1FAIpQLSfg56b_wLmUN7n-WWhb...](https://docs.google.com/forms/d/e/1FAIpQLSfg56b_wLmUN7n-WWhbwReE11YoHXs_fpJyZcEjDaR69Q-kJQ/viewform?c=0&w=1)

~~~
nickpsecurity
Are you able to disclose the speed and/or cost? I know people working on
cheaper HSM's. They might find the numbers useful as an assessment of how
practical their own are.

~~~
pfg
I don't have any first-hand knowledge, sorry. (Not affiliated with ISRG.)

Based on some public posts, I believe Let's Encrypt is using Gemalto HSMs,
though I'm not sure which model or how many of them.

------
Walkman
Is it possible to request random certificates for a competing company which
you know uses Letsencrypt? If yes, you could force them to not use Letsecrypt
because of these limits. What count as an issued certificate?

~~~
pfg
You would not be able to increase any of the relevant rate limit counters
without at least controlling a (sub)domain belonging to your competitor, or
being able to send requests from the IP address your competitor is using to
request certificates. There's no rate limit that would apply to your
competitor short of that.

------
sofaofthedamned
The official advice from LE about many subdomains is to combine them onto one
cert with Subject Alternative Names.

This doesn't work for me - I used to do this with the Lego client using the
DNS challenge for my registrar, Namecheap. Unfortunately by the second or
third challenge it would hang and eventually give up. I didn't have the
problem splitting the subdomains into seperate certs and running them 5
minutes apart.

The problem is likely in over restrictive rate limiting from Namecheap, but
either way one of them needs to loosen up.

Does anybody else know about the Namecheap restrictions? I don't use their API
for anything else but the LE DNS challenge (adding TXT records once every
other month)

~~~
bigiain
" … one of them needs to loosen up."

Or perhaps you need to revisit your decision to require "many subdomains" and
consider whether it's a sensible decision if it relies on somebody else
providing SSL certs for them inexpensively or for free.

You can buy a wildcard cert for under a hundred bucks these days - how much
obligation do you think LetsEncrypt have to change their product to save you
$100/year because of your design decisions? If LetsEncrypt (or Namecheap)
don't work for you, pay someone who sells a thing that _does_ work for you (or
change your requirements).

~~~
sofaofthedamned
Er, hang on, I don't have a sense of entitlement about this and if it came
across that way it wasn't intended.

Point is, I had only 8 domains on the cert and it didn't manage to complete
most of the time. It's either an issue with the LEGO client, LE or Namecheap
API.

------
Sephr
Let's Encrypt doesn't support removing subdomains from a certificate like it
supports adding subdomains, so people offering per-user subdomains need to
create a completely new certificate every time a user deletes their account.

All it takes is 5 (or 20?) users to delete their accounts and you've used up
your Let's Encrypt quota for the _entire week_!

Without wildcard certificates or a method to remove subdomains from a
certificate, LE is still useless for UGC sites with per-user subdomains.

~~~
ajross
> LE is still useless for UGC sites with per-user subdomains

Let's Encrypt is a _public service_ , aimed at operators of individual systems
who host web content or email in a casual sense, were poorly served by the
complexity of getting and maintaining a TLS cert, and who empirically were
basically not doing TLS.

Your posited blog host is going to be a professional or semi-professional web
admin. Just call up Comodo or whoever. There's a product for that need. Let's
Encrypt is not it.

In the vernacular: cry me a river.

~~~
phil21
I had a team member explain the project vastly differently to me. Can you
provide a link that LE is only for personal/casual use?

As a webhost we have offered SSL certificates to customers for ages. Unless
it's free you will see very little uptake. Which eliminates the main purpose
for LE to exist, from what I was told.

I also have a rather compelling use case for far more than 20 subdomain
certificates a week, but there is absolutely no "market" for that use-case -
it simply increases Internet security. Which was the entire stated goal of the
project, I thought.

First I've heard that LE is only for personal use :)

~~~
X-Istence
If you have per-user sub-domains, just get a wildcard cert, pay for it, and
cover all your users all at once. Why do you need want to go through LE for
that purpose?

------
Achshar
What I personally find more inconvenient than any of those limits (as a non-
power user) is the 3 month lifetime of certs. I am a windows user. Running a
VM once a month just to renew my 3 certs is a huge headache. Will it really be
that much of a burden to have like a year?

Not to mention the whole process is so very incredibly fugly. For something as
important as it is why is there not an official online UI to manage certs? I
know of atleast one online client that does exactly that but it's not
official. We need the process to be as simple as making a facebook account for
example. I am not very knowledgeable in certificates btw, so I may be just
about to have a duh'oh moment..

Edit: Forgot to mention, I can't use auto renew scripts because my sites run
on shared hosting and I don't have any kind of command line access. I have to
manually upload certificates via cpanel.

~~~
JoshTriplett
> What I find more inconvenient than any of those limits (as a non-power user)
> is the 3 month lifetime of certs. I am a windows user. Running a VM once a
> month just to renew my 3 certs is a huge headache. Will it really be that
> much of a burden to have like a year?

You shouldn't do _anything_ by hand to renew certificates. The short
certificate lifetime encourages you to automate the process.

Clients exist for Windows, and web servers exist for Windows that include
native support for ACME and Let's Encrypt.

~~~
Achshar
Those aren't really an option for me, I use shared hosting without command
line access. I realize this is an issue specific to my case but I know many
other people that have their own small sites running on similar hosting as
mine.

~~~
schoen
If continuing to use your current hosting provider is important to you, I
suggest you ask them to integrate Let's Encrypt on their end. (That could
include just letting you get Let's Encrypt certs through cPanel; it doesn't
necessarily have to mean a lot of coding for them.) We've been talking to a
number of providers of various shapes and sizes who are doing this or planning
to do it. It's the best option for hosting environments where the customer
doesn't have administrative access.

------
yuhong
This reminds me of the question of which kinds of attacks would be possible if
Let's Encrypt issued SHA1 certificates.

------
antar
This is a ridiculously low limit for a SaaS provider.

~~~
bigiain
Got any examples of SaaS providers who don't have low limits on their free
tier offerings?

Personally I think you're badly mis-categorizing LetsEncrypt there - it's not
like they're trying to bug you into signing up for a $29/month "Personal Plan"
or a $199/month "Professional Plan" by keeping their limits low. They're
giving their service away for free, and trying hard to only exclude the very
edge cases of people who need way more resources to satisfy than the 99%.

If you've got a plan that requires hundreds of ssl certs per week to operate,
and you don't have a revenue stream to pay for them, your plan needs more
work. Just 'cause someone offers "free coffee", doesn't mean you can make a
business out of showing up with a pickup truck full of 44gal drums and demand
to have them fill you up for free so you can give it away to the customers at
your restaurant...

~~~
antar
> Got any examples of SaaS providers who don't have low limits on their free
> tier offerings?

By SaaS I meant company offering subdomains/custom domains that needs LE - not
LE itself. It's not a SaaS company to being with.

> They're giving their service away for free.

LE is not a charity. It's a business.

~~~
bigiain
> By SaaS I meant company offering subdomains/custom domains that needs LE -
> not LE itself.

Ahhh, sorry, my misunderstanding. (But an alternative comment - it's not that
those SaaS companies "need LE", it's just that they want free ssl certs. I
_want_ free Tesla's - my local Tesla dealership doesn't care... That doesn't
make their prices "ridiculously high", it a problem with my expectations.)

> LE is not a charity. It's a business.

Not sure I (or they) agree with you there:

"Let’s Encrypt is a free, automated, and open certificate authority (CA), run
for the public’s benefit. Let’s Encrypt is a service provided by the Internet
Security Research Group (ISRG)."

"Consider becoming a sponsor or simply donate via PayPal."

Sure there's a wide grey line between "a business", "a 501c non-profit", and
"a charity" \- but if your revenue stream comes from a "please donate or
sponsor us" link, not your product's pricing (whether that's a thing/service
you sell, or the privacy of your free users you're selling), I think you're a
lot closer to the "charity" end of that line than the "business" end.

