Rate Limits Question

If I hit a rate limit on Caddy or Let’sEncrypt. Will caddy retry to get the cert when it can?


Ah nevermind i think i just found my answer

Here's what happens if there's an error obtaining or renewing a certificate:

Caddy retries once after a brief pause just in case it was a fluke
Caddy pauses briefly, then switches to the next enabled challenge type
After all enabled challenge types have been tried, it backs off exponentially
Maximum of 1 day between attempts
For up to 30 days

How did you get rate limited?

The most recent versions of Caddy should mostly (but not completely) avoid this by switching to the staging endpoint during retries.

I suppose one way you could still get rate limited is by restarting the process a lot.

Oh I didn’t.

It was just a question. I’m implementing a custom domain feature and trying to decide if I should just put the host name in caddy and let caddy try to get the cert. Or if I make sure the CNAME entry has propagated before inserting into my config.


If you’re not sure, always switch to staging first. Caddy’s failover is not perfect in this regard because of how complex some of the logic is, so if you know ahead of time that the DNS isn’t ready, just test on staging.

If you don’t control the domains and aren’t sure when they will be properly configured, you can use on-demand TLS instead. However, on-demand TLS doesn’t do retries since it happens in the foreground.

Interesting. When you say that on demand doesn’t do retries do you mean it will try on the first handshake and if it fails then the handshake will fail. But if you refresh the page it will try again?

Yes. You can configure rate limits and/or an “ask” endpoint that tells Caddy whether it should be allowed to try to get a cert for the domain name.

That does seem a better way for my use case. Are there default limits if i don’t set them? Or what are some good defaults for me to set?


There aren’t, no – you’ll have to decide what is right for your use case.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.