I just received a new rate limit from Let’s Encrypt and I tested it and found that I am still limited.
After taking a look at the logs, I discovered that I am limited by Caddy and not by Let’s Encrypts.
After searching the forum, I found this:
These two variables enforce the limit: RateLimitEvents RateLimitEventsWindow
So there are two issues here:
People who receive a new rate limit will still be limited by Caddy.
The last time Let’s Encrypt needed to revoke millions of certificates in a short time, they increased the rate limit for all users from 300 new orders to 1000. This means that next time it happens, Caddy users will still be limited and will not understand why.
I recommend keeping the variables in place but providing an option to control them from the Caddyfile.
This internal rate limit (is more like a throttle, really) allows 600 events per hour, still higher than LE’s rate limits during mass revocation events. (Note theirs is 300 per 3 hours normally).
Are you finding that this rate limit is still too low for your requirements? That would be a first, even for deployments with hundreds of thousands of sites.