back to article Let's Encrypt ups rate limits

Let's Encrypt has revised its rate limits to make life easier for large organisations and hosting providers who use its services. The certificate authority set up rate limits for cert creation as a defence against hacker interference and denial of service attacks. However the limitation created problems for internet service …

  1. Pomgolian
    Holmes

    Maybe...

    ...they could reduce the traffic by 75% if they allowed annual renewal rather than three months which comes around all too soon....or maybe even allow wildcard certificates which would would render the "20 certificates per domain" limit moot.

    1. MatthewSt Silver badge

      Re: Maybe...

      They'd reduce cert generation traffic yes, but they'd increase the amount of processing required on the certificate revocation list. Although I'd imagine this rate limit has less to do with server load and more just stopping people doing stupid things with it. How many certificates do the "paid for" providers let you issue and re-issue?

      Once you get the SSL certificate set up to automatically renew you don't even notice, and it means that someone doesn't have to spend 1 day a year (or maybe 2 years) trying to work out how and where you go about renewing a certificate (which is what we used to have to do)

    2. sbivol

      Re: Maybe...

      The LE docs say that "you can issue certificates containing up to 2,000 unique subdomains per week" (100 subdomains * 20 cerificates), and this limit excludes renewals. Each week, you get to issue 20 additional certificates, meaning that you'd get up to ~8,000 new subdomains certified per month.

      This is plenty, no matter how fast your forest of subdomains is growing.

    3. Richard Lloyd

      90 day limit is to encourage automation

      If you only had to renew certs every year, a fair chunk of admins wouldn't even bother installing a cron job to run the certbot script to do auto-renewals. One of the major goals of Let's Encrypt is automation - get the initial cert and then forget about renewals because a cron job will handle those automatically (if the renewals fail, Let's Encrypt will email you automatically if expiry is getting close for any cert). A short expiry period really does focus the mind on getting the automation working.

      I think Let's Encrypt is an idea that's been long overdue - the commercial secure cert market is a licence to print money, especially where the entire process is automated and rarely involves a human on the cert vendor side. As for Extended Validation certs, this seems to be an excuse to charge double for one or two extra checks that probably take less than a minute each...

  2. Anonymous Coward
    Anonymous Coward

    > if they allowed annual renewal

    https://letsencrypt.org/2015/11/09/why-90-days.html

  3. DougMac

    certbot really is simple to make automatic updates.

  4. Anonymous Coward
    Anonymous Coward

    Whatever you use for the auto-renewals

    Avoid their "official" solution. It's overcomplicated and insists on requiring root.

    Thankfully by now there is a good choice of other solutions, many of them simply Bash scripts, which can run from anywhere, are easy to configure, and do not require root. I run the renewals as an unprivileged used, then have a root script which a few hours latter will move the new certs to the right place.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon