Let’s Encrypt allows 300 orders per 3 hours per account. After 300 orders, all other orders will be blocked until the 3-hour limit has passed.
However, they also allow the creation of 10 accounts every 3 hours.
And if it’s from a different IP address, they allow for 500 accounts every 3 hours.
So according to this, if Caddy provides an option to assign each domain name to a specific account ID, we could potentially manage 150K domains per 3 hours.
How can we do that?
Caddy already has the “ask” option that checks if the domain is valid or not. What if this page could also return the account ID that this domain is related to?
I’d be happy to hear what you think, and my company can sponsor this kind of feature if it’s something you guys decide is a good idea.
I have considered automatically generating accounts for purposes of scaling (note that the creation of accounts is also rate limited, btw) – but I am conflicted because it seems to go against the grain of what Let’s Encrypt intended.
But on the other hand, part of me is totally okay with this because Let’s Encrypt has rate limits, so they won’t let you create more accounts than they want you to create. That makes it seem acceptable.
Then again, Let’s Encrypt has a formal method for large integrators like yourself, as documented on that page you link to:
If you are a large hosting provider or organization working on a Let’s Encrypt integration, we have a rate limiting form that can be used to request a higher rate limit. It takes a few weeks to process requests, so this form is not suitable if you just need to reset a rate limit faster than it resets on its own.
So, I dunno. I guess it comes down to whether their rate limits are Speed Limits or just safety nets against buggy code/deployments? If they’re Speed Limits, then by all means we can go up to the speed limit. If they’re just a safety net, then it’s probably not the best idea to try to create so many accounts like that.
I’d be happy to work on this if Let’s Encrypt approves of it. Have you considered asking on their forums if your idea is OK with them? If so, then I’ll get to work on it with your company’s sponsorship. My guess, though, is that they’ll ask you to fill out that form.
Another option is ZeroSSL, which doesn’t have tight rate limits, but also can be slower (for the time being).
@job_noam from here Rate Limits - Let's Encrypt there is this
" If you are a large hosting provider or organization working on a Let’s Encrypt integration, we have a rate limiting form that can be used to request a higher rate limit. It takes a few weeks to process requests, so this form is not suitable if you just need to reset a rate limit faster than it resets on its own."
I tell you what, all my domains are customer domains, so in reality, I needed to send every request with the customer email (account), just like we’re doing when we order him the domain.
They put account limits for a reason. They inform customers of these limits, so that every customer can decide how they want to operate within them.
I’ll also ask it in their forum so you can see what people are saying.
I have filled out this form four times in the past two years, but I have never received a response. And also the upgraded rate limit is still low, from what I can tell in their form.
They claim not to have a rate limit, but they do. I have also experienced this firsthand, as their responses slowed down (and then blocked) even faster than those of Let’s Encrypt.
I have filled out this form four times in the past two years, but I have never received a response. And also the upgraded rate limit is still low, from what I can tell in their form.
My guess, though, is that they’ll ask you to fill out that form.