We have a lot of domains under our servers and sometimes we get into the rate limit of Letsencrypt because we create more than 300 certificates in 3 hours:
Because we’re using many Caddy servers (with the same storage) to serve our system I thought maybe every server will have a different Letsencrypt account on his unique Caddyfile and this way every server can handle 300 orders for 3 hours.
I wanted to know if it’s possible?
And also what will happen if account A will create the SSL and account B will be the one that needs to renew?
Sometimes we have more than 300 new domains in 3 hours and then Letsencrypt blocks us for a week.
5. What I already tried:
I think maybe give every server Caddyfile a different email for Letsencrypt. So I will have 300 orders for each server.
That means every server will create new SSLs with his unique user, but the renewal can happen from any other server. That means different emails that create the SSL. Is that OK?
Does caddy storage can work with multiple users on the same storage?
First, I want to make sure we’re on the same page.
What evidence do you have of that? It’s a 3 hour rate limit, not 1 week. So you can do 300 in the first 10 minutes, then be “blocked” for only the next 2 hours and 50 minutes. LE says they use a sliding window algorithm.
You can create a maximum of 300 New Orders per account per 3 hours. A new order is created each time you request a certificate from the Boulder CA, meaning that one new order is produced in each certificate request. Exceeding the New Orders limit is reported with the error message too many new orders recently
and then they write:
If you’ve hit a rate limit, we don’t have a way to temporarily reset it. You’ll need to wait until the rate limit expires after a week. We use a sliding window, so if you issued 25 certificates on Monday and 25 more certificates on Friday, you’ll be able to issue again starting Monday. You can get a list of certificates issued for your registered domain by searching on crt.sh, which uses the public Certificate Transparency logs.
Thank you @matt. really appreciate that.
But I’m not sure the answer is right, I can’t create a new SSL with Let’sEncrypt, and it always goes to ZeroSSL.
All my logs full with this error: “HTTP 429 urn:ietf:params:acme:error:rateLimited - Error creating new order :: too many new orders recently: see Rate Limits - Let's Encrypt”
I don’t use all the other options that can block my rate. No sub-domains, no new accounts…
Maybe you should reach out to them yourself on the LE forums, give them the details they need to lookup your LE account to see what rate limits you’re actually hitting.
There’s not much we can do here, this isn’t really a Caddy problem per se.
Yes, I agree.
I just asked to see if Caddy can offer me a workaround to this rate limit issue.
My question is still relevant because my system hit the rate limit for some reason, and I need a solution it will not happen even if it’s only for 3 hours.