Letsencrypt rate limiting at 1 per 10 minutes?


(Richard Stupek) #1

I’m trying to figure out why the following is in the code

It seems that you’re rate limiting to one certificate issued every 10 minutes after the first 10?


(Matt Holt) #2

Yep, the rate limits for on-demand TLS are documented here: https://caddyserver.com/docs/automatic-https#on-demand


(Richard Stupek) #3

Ok. Why one every 10 minutes after the first 10? There isn’t any way to configure it right?


(Matt Holt) #4

To prevent abuse. And no, it can’t be configured. But you can use the ask subdirective to do your own abuse prevention.


(Oliver Dunk) #5

Hey @matt ! This feature is really exciting for a project that I’m working on. I want to enable HTTPS for the custom domains added by users to my SaaS app.

I was just wondering if I am ok to tweak these rate limits by modifying the source, or if that is a very bad idea? In particular:

  • Remove the hard limit on the number of certificates.
  • After the first ten, allow one certificate to be requested each minute, rather than one every ten.

The above would be following these assumptions:

  • There are no failed validations, or they are at least rare, because my ask endpoint will only return a 200 if the DNS is setup correctly.
  • The number of requests by a given user or for a given domain name is extremely limited by the ask endpoint, say five domain changes per user per week.

I understand why the rate limits are in place in the source and am not suggesting that these are changed for those using Caddy out of the box. I was just wondering if changing them for our own usage is ok or if we should be looking at making a custom Caddyfile loader instead?


(Matthew Fay) #6

Just my 2c… There’s two questions there - can you, and should you?

Firstly, yeah, sure - the code is all Apache licensed, you’re allowed to modify it for your usage.

Secondly, it’s there to protect both LetsEncrypt’s endpoint from abuse, and Caddy’s users from rate limits - so as long as you’re aware of the responsibility you’re taking into your own hands - that is, to be fair to LE’s ACME server, and to avoid being rate-limited - the choice is ultimately yours.


(Oliver Dunk) #7

Thanks @Whitestrake, that makes sense.

If you don’t mind me rephrasing the question: would you, wanting to achieve the feature I am suggesting, do what I am proposing?

My main reason for asking here is because I appreciate the limit is there for a reason and am wondering if there is a better way. Based on what you have said I think I am making the right decision here but I would appreciate any feedback if you disagree :slight_smile:


(Matthew Fay) #8

Yeah, probably. I don’t think there are two ways about it; if you need more certs than the current cap, you need to remove the cap, and the above code is where you do it. The technical part is pretty straight-forward.

The rate limits are all published, so if you make sure the endpoint you’re using for ask validation keeps those in mind, you’ll have no problems.


(Matt Holt) #9

I would just set up an ask endpoint that does the rate limiting or whatever other checks you want, then you can use stock binaries/source code. Those limits you proposed sound fine; it ultimately depends on your threat model – just having some limits in place is a huge net positive, so that’s good.