On Wed, Jan 09, 2019 at 01:28:29PM -0700, Grant Taylor wrote: > On 01/09/2019 06:11 AM, John Levine wrote: > > Yes, I know. The chances of verifying 80 names in a row without one of > > them glitching does not seem high. I'd probably get rate limited first. > > The usual LE rollover for a single cert starts quite a long time before > > the old cert expires so if it fails, you can try again tomorrow. > > I thought the rate limit was the number of certs /issued/ a week. So I > would expect that validation failure before issuance wouldn't count against > the rate limit.
AFAIK, the relevant Let's Encrypt limits are: - Maximum of 50 certificates per eTLD+1 per 7 days (each certificate counts once per eTLD+1 in it, regardless of if there are 1 or 100 such names). - Maximum of 100 names per certificate. - Maximum of 5 failed validations per name per hour. - Maximum of 300 orders in 3 hours (IIRC, any order counts, not just the new ones). Each order gives maximum of 1 certificate. The way transient glitches should be handled is that next validation only revalidates the ones that failed last time, giving pretty high chance of success if the faults were indeed tranisent (and since this happens in >1h, the previous failed validations expire). It is the non-transient failures that are more annoying. However, the many ACME clients are just too primitive to get the previous right. And very few can get the last one right if one uses pre-canned CSRs. -Ilari _______________________________________________ Uta mailing list [email protected] https://www.ietf.org/mailman/listinfo/uta
