Change to Lets Encrypt -- Rate Limiting
I have read in the recent update that the new default AutoSSL provider will be Lets Encrypt and that " Sectigo will eventually cease functioning in cPanel." The situation I have had in the past with Lets Encrypt is their rate limiting. I know they appear to have liberal issuance rates, but our situation seems to be more unique.
We host websites, and all websites start with free trial under a subdomain of our main website domain name. Customers can later park a registered domain that they own on their site if they so choose, or they can continue to use the subdomain address as long as we are hosting their site.
With 600+ sites currently being hosted, there are several hundred that have chosen not to use a registered domain and continue using a subdomain of our primary domain for their site. The issue this causes is that we eventually hit a rate limit with the subdomains of our primary domain.
We have hundreds of subdomains like yoursite.example.com, mysite.example.com, anothersite.example.com, etc. that coexist at one time with new ones being created daily. Each of these also has multiple hostnames per unique subdomain, such as mail.____, ftp.____, and cpanel._____. I assume those would only count towards the "100 Names per Certificate" limit, which I don't believe to be an issue here.
I don't expect that we are in danger of hitting the "300 New Orders per account per 3 hours" (that would be nice!), but in the past we have hit the "Certificates per Registered Domain" limit when I accidentally left the AutoSSL provider set to LE instead of Sectigo, and the scheduled SSL check script ran. I assume this is because the registered domain is our primary domain and has hundreds of sites, each using a unique subdomain of that same primary domain.
What happens if we have more than 50 accounts using subdomains that renew in the same week, receiving a *new issue* certificate from LE as they switch from their old expiring Sectigo certificate to a new Lets Encrypt certificate, now that LE is the selected provider? I believe this scenario is certainly possible. Apparently, once all sites are on LE, renewals will not be subject to that same rate limit, so that part doesn't appear to be a concern. But the migration period from Sectigo to LE is a concern as many subdomains could be affected in the same week.
We could potentially have many sites needing to wait a week for the rate limit to expire, during which their site won't work as the sites use https:// links once a certificate has been issued (which is normally done within a few minutes of site creation). Being down for a week is not an option for potentially dozens of customers.
I have explained this many-subdomains-of-one-primary-domain usage case to LE in the past, requesting an increase in the rate limit for our account, but we were denied.
How can I avoid this rate limit issue as sites begin to renew and receive new certificates from LE en masse?
-
Hey there! From our side, there currently isn't a way to avoid the ratelimit. I know we're discussing increasing that limit with them as we shift them to be our main SSL provider, but I don't know for sure if or when that will actually happen at this point.
0 -
That's a shame. This change has the potential to severely impact my business if my customers' sites start losing their SSL certificates and they can't be renewed due to the rate limits of the only provider cPanel will support. I wish cPanel had considered these limitations and their impacts on customers before deciding to make Lets Encrypt their sole provider.
2 -
disabling sectig/cpanel certs and switching to letsencrypt literally destroyed the idea because of rate limit... main accounts named as user.hoster.com are also ratelimited because not only requester ip but hoster domain too !
0 -
This. I have hundreds of accounts that are hosted under subdomains of my primary domain. Those customers don't want to have a unique registered domain; they are content to use a free subdomain for their sites. Those are all falling under the domain rate limit which I didn't have to worry about under Sectigo. Not to mention all the potential customers who start trial accounts to eval my service. Those are under a subdomain and get an SSL certificate during the trial, even if it won't be used long term. But it counts against the rate limits...
On the bright side, Let's Encrypt has typically been more reliable at issuing certificates quickly.0 -
Let's Encrypt has a form where you can request an increase for a common domain:
https://isrg.formstack.com/forms/rate_limit_adjustment_request
While this isn't a global solution for all domains, it would solve issues similar to what Vinnie Murdico is seeing where one domain has a very large number of subdomains.
0 -
Today I reached the number of 34 domains parked in my main account and this message came out... not how to do it.
This is really a big problemWARN Provider’s per-certificate domain count limit: 100WARN “Let’s Encrypt™” cannot secure all of “example.com”’s domains. Remove domains from “example.com” to fix this.0
Please sign in to leave a comment.
Comments
6 comments