Letsencrypt rate limiting at 1 per 10 minutes?

Richard_Stupek · 2018-05-15 19:04:17 UTC

I’m trying to figure out why the following is in the code

mholt/caddy/blob/master/caddytls/handshake.go#L333


	failedIssuanceMu.RUnlock()
	if ok {
		return fmt.Errorf("%s: throttled; refusing to issue cert since last attempt on %s failed", name, when.String())
	}


	// Make sure, if we've issued a few certificates already, that we haven't
	// issued any recently
	lastIssueTimeMu.Lock()
	since := time.Since(lastIssueTime)
	lastIssueTimeMu.Unlock()
	if atomic.LoadInt32(&cfg.OnDemandState.ObtainedCount) >= 10 && since < 10*time.Minute {
		return fmt.Errorf("%s: throttled; last certificate was obtained %v ago", name, since)
	}


	// Good to go 👍
	return nil
}


// obtainOnDemandCertificate obtains a certificate for name for the given
// name. If another goroutine has already started obtaining a cert for
// name, it will wait and use what the other goroutine obtained.

It seems that you’re rate limiting to one certificate issued every 10 minutes after the first 10?

matt · 2018-05-15 19:36:26 UTC

Yep, the rate limits for on-demand TLS are documented here: https://caddyserver.com/docs/automatic-https#on-demand

Richard_Stupek · 2018-05-15 19:40:02 UTC

Ok. Why one every 10 minutes after the first 10? There isn’t any way to configure it right?

matt · 2018-05-15 19:58:47 UTC

To prevent abuse. And no, it can’t be configured. But you can use the ask subdirective to do your own abuse prevention.

oliverdunk · 2018-05-20 12:45:01 UTC

Hey @matt ! This feature is really exciting for a project that I’m working on. I want to enable HTTPS for the custom domains added by users to my SaaS app.

I was just wondering if I am ok to tweak these rate limits by modifying the source, or if that is a very bad idea? In particular:

Remove the hard limit on the number of certificates.
After the first ten, allow one certificate to be requested each minute, rather than one every ten.

The above would be following these assumptions:

There are no failed validations, or they are at least rare, because my ask endpoint will only return a 200 if the DNS is setup correctly.
The number of requests by a given user or for a given domain name is extremely limited by the ask endpoint, say five domain changes per user per week.

I understand why the rate limits are in place in the source and am not suggesting that these are changed for those using Caddy out of the box. I was just wondering if changing them for our own usage is ok or if we should be looking at making a custom Caddyfile loader instead?

Whitestrake · 2018-05-20 13:44:24 UTC

Just my 2c… There’s two questions there - can you, and should you?

Firstly, yeah, sure - the code is all Apache licensed, you’re allowed to modify it for your usage.

Secondly, it’s there to protect both LetsEncrypt’s endpoint from abuse, and Caddy’s users from rate limits - so as long as you’re aware of the responsibility you’re taking into your own hands - that is, to be fair to LE’s ACME server, and to avoid being rate-limited - the choice is ultimately yours.

oliverdunk · 2018-05-20 13:48:08 UTC

Thanks @Whitestrake, that makes sense.

If you don’t mind me rephrasing the question: would you, wanting to achieve the feature I am suggesting, do what I am proposing?

My main reason for asking here is because I appreciate the limit is there for a reason and am wondering if there is a better way. Based on what you have said I think I am making the right decision here but I would appreciate any feedback if you disagree

Whitestrake · 2018-05-20 13:50:57 UTC

Yeah, probably. I don’t think there are two ways about it; if you need more certs than the current cap, you need to remove the cap, and the above code is where you do it. The technical part is pretty straight-forward.

The rate limits are all published, so if you make sure the endpoint you’re using for ask validation keeps those in mind, you’ll have no problems.

matt · 2018-05-20 14:54:20 UTC

I would just set up an ask endpoint that does the rate limiting or whatever other checks you want, then you can use stock binaries/source code. Those limits you proposed sound fine; it ultimately depends on your threat model – just having some limits in place is a huge net positive, so that’s good.