-
Notifications
You must be signed in to change notification settings - Fork 184
Let's Encrypt Reference Sheet
This page documents useful reference information regarding the specifics of the Let's Encrypt CA (LE) service. The information here was current at the time it was updated, but may be out of date. Always see the source material for the official details.
Full details can be found here.
| Metric | PROD | STAGE |
|---|---|---|
| Certs/Registered Domain/Week | 20 | 30,000 |
| Duplicate Certificate/Week | 5 | 30,000 |
| Max Registrations/IP Address/Hour | 500 | 500 |
| Max Pending Authorizations | 300 | 300 |
| Max Failed Validations | 5 | > 5 |
- LE uses a sliding window for rate limiting so if you hit a rate during the week, the limit will be relaxed one week after the metric started accumulating -- not from time you hit the limit.
- Registered domains are the part of the domain you pay for to a registrar as calculated by the Public Suffix List.
- Certs are considered Duplicate Certs if they have the exact same names ignoring case and ordering.
- The "Failed Validations" limit is measured per account, per hostname, per hour.
| Entity | PROD | STAGE |
|---|---|---|
| Challenge Tokens | 1 week | ? |
| Identifier Authorization1 |
|
|
| Certificates | 90 days | 90 days |
1 Identifier Authorizations originally expired after 10 months but this was reduced to 60 days as part of a set of API changes rolled out in August 2016. Additionally, Authorizations that have more than 24 hours remaining till expiration are recycled on subsequent Identifier Authorization requests, as part of the new "Authorization Recycling" feature.
| Feature | PROD | STAGE |
|---|---|---|
| SAN Names/Cert | 100 | 100 |
The Boulder CA server that power the LE project diverges from the ACME Spec in a few areas.
The complete list can be found here:
Some notable differences from this list:
- Boulder does not allow
telURIs in the registrations contact list. - Boulder does not implement the
status,applicationsorcertificatesfields in the registration object. - Boulder does not implement the
new-applicationresource. Instead it implementsnew-cert. - Boulder does not provide a
Retry-Afterheader when a user hits a rate-limit. - Boulder uses a modifies style of key roll-over.
- Boulder does not implement the
reasonfield for therevoke-certendpoint and defaults tounspecifiedfor all requests. - Boulder implements
tls-sni-01and nottls-sni-02validation method. - Boulder does not implement
oob-01validation method.
Docs
- Overview
- FAQ
- Let's Encrypt Reference Sheet
- Quick Start
- Requirements
- Basic Concepts
- Vaults, Vault Providers and Vault Profiles
- Challenge Types, Challenge Handlers and Providers
- Troubleshooting
- Contributions
Legacy Docs - out of date
Reference
- Good to Know
- Proposed Extension Mechanism
- PowerShell Module Design
- Style Guides and Conventions
- Documentation Resources
A bit dated