New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Rate limit documentation missing overall request rate limits #2450
Comments
There's apparently a request-per-IP-per-endpoint rate limit that Let's Encrypt hasn't publicized and lekube was hitting it by doing authorizations in parallel. Related ticket for boulder: letsencrypt/boulder#2450
There's apparently a request-per-IP-per-endpoint rate limit that Let's Encrypt hasn't publicized and lekube was hitting it by doing authorizations in parallel. Related ticket for boulder: letsencrypt/boulder#2450
From the
The request-per-IP-per-endpoint limit is being applied before the WFE. |
Okay! If it's the deal, it's set pretty low when, say, calling for the authorizations of a cert with a number of domains in it in parallel. |
@jmhodges That's fair feedback. I expect we're going to be revisiting the specific limit thresholds after the holiday period. In the mean-time I'll get the existing limits on the docs page - its no fun hitting undocumented rate limits. |
Opened letsencrypt/website#118 for adding the limits as they exist today to the rate limits documentation. |
letsencrypt/website#118 was merged. Website should be updated with the new rate limits documentation in the next while. |
It seems that sending HEAD to https://acme-v01.api.letsencrypt.org/acme/new-authz can, in some cases, cause you to hit some rate limit and get a
429
returned. That's unexpected for HEAD since HEAD is equivalent to a GET, not POST, and shouldn't be causing any writes to occur.I'm not clear on why the wfe code for NewAuthorization and method handling aren't catching this first, but they aren't.
I ran into this because the 429's do not have a replay-nonce response header on them and
crypto/acme
was breaking on that.I have a ticket for crypto/acme on this, but this seems like it ought to be fixed both there and in boulder itself.
The text was updated successfully, but these errors were encountered: