Skip to content

Update rate limits doc for IP address identifiers#1933

Merged
jprenken merged 2 commits intomainfrom
ip-ratelimits
Jun 16, 2025
Merged

Update rate limits doc for IP address identifiers#1933
jprenken merged 2 commits intomainfrom
ip-ratelimits

Conversation

@jprenken
Copy link
Copy Markdown
Contributor

@jprenken jprenken commented Jun 12, 2025

Update docs/rate-limits.md to replace most uses of the word "hostname" with "identifier," and clarify at relevant points that certificates may contain IP address identifiers.

This includes most rate limit names in the doc, since they already differ slightly from what's returned by the API. This does not yet include "registered domains," since that phrase closely tracks what the API uses and has not yet renamed.

Also, replace "smart apostrophes" with ASCII apostrophes, since their usage was already inconsistently mixed throughout the doc.

aarongable
aarongable reviewed Jun 13, 2025
View reviewed changes
Comment thread content/en/docs/rate-limits.md Outdated
Comment thread content/en/docs/rate-limits.md Outdated
Comment thread content/en/docs/rate-limits.md Outdated
Comment thread content/en/docs/rate-limits.md Outdated
Comment on lines +107 to +109
If you're requesting a certificate for an IP address, this rate limit evaluates
an IPv4 address as if it's a registered domain. For IPv6 addresses, it evaluates
the /64 range that contains the address.
Copy link
Copy Markdown
Contributor

@aarongable aarongable Jun 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This phrasing feels awkward to me for some reason. It definitely works, but I'm gonna try to brainstorm something different. Maybe:

For IP addresses, we also try to treat the usual unit of sale (what you'd buy from your ISP or hosting provider) as the "registered domain". So for IPv4 addresses, we treat the exact address as the registered domain, and for IPv6 addresses, we treat the containing /64 range as the registered domain.

Does that sound better? I'm honestly not sure.

Copy link
Copy Markdown
Contributor Author

@jprenken jprenken Jun 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I mashed these up a little. I wanted to keep the first clause to try to minimize anticipated confusion about the client's IP address connecting to the API (not this rate limit) vs. an IP address identifier in the certificate (yes this rate limit).

@jprenken jprenken requested a review from aarongable June 13, 2025 00:25
@jprenken jprenken merged commit 7638a34 into main Jun 16, 2025
5 checks passed
@jprenken jprenken deleted the ip-ratelimits branch June 16, 2025 17:40
@beautifulentropy beautifulentropy mentioned this pull request Jan 26, 2026
Merged
jsha pushed a commit to letsencrypt/boulder that referenced this pull request Jan 26, 2026
@beautifulentropy
ratelimits: Fix docs urls for two rate limits (#8596)
e90e9ce 
A previous website pull request
(letsencrypt/website#1933) modified
documentation anchor links so they no longer align with those referenced
in Boulder error messages.

Update documentation hyperlinks in Boulder errors to match the website
changes:
-
https://letsencrypt.org/docs/rate-limits/#authorization-failures-per-identifier-per-account
-
https://letsencrypt.org/docs/rate-limits/#new-registrations-per-ip-address
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@aarongable aarongable aarongable approved these changes

@beautifulentropy beautifulentropy beautifulentropy approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jprenken @aarongable @beautifulentropy