Rate limits WRT subdomains and multiple hosts

[talolard]

First of all this project is fantastic, thank you!
#274 touches on the questions but not quite clear.
In my use case each of my users lives on their own subdomain
userA.example.com
userB.example.com etc

And I'm running a separate stack for each of them using nginx-proxy to route to them.

No one is routed to the base domain example.com

Does that mean that a different certificate will be issued for each subdomain ? Since LetsEncrypt rate limits on the base domain (example.com) will I be hitting rate limits?
If so is their a way to avoid this?

Second,
If we run this stack on multiple hosts each host will get its own certificate, I assume this will also hit a rate limit. I'm thinking of mounting the volumes from a distributed file system (EFS), is their another solution / best practice ?

[buchdag]

The official LE rate limits doc might be clearer than #274

More specifically:

The main limit is Certificates per Registered Domain, (20 per week). A registered domain is, generally speaking, the part of the domain you purchased from your domain name registrar. For instance, in the name www.example.com, the registered domain is example.com. In new.blog.example.co.uk, the registered domain is example.co.uk. We use the Public Suffix List to calculate the registered domain.

If you have a lot of subdomains, you may want to combine them into a single certificate, up to a limit of 100 Names per Certificate. Combined with the above limit, that means you can issue certificates containing up to 2,000 unique subdomains per week. A certificate with multiple names is often called a SAN certificate, or sometimes a UCC certificate.

So 20 or 2000 new users a week depending on wether you use discrete certificates for each user's subdomain or group them into SAN certificates ...

BUT currently the project handles ACME account registration in a simplistic way: it creates a new account for each new base domain, no matter what. If you request 20 discrete certificates, you'll end up with 20 accounts key. And guess what, there is rate limiting on this too.

You can create a maximum of 10 Accounts per IP Address per 3 hours. You can create a maximum of 500 Accounts per IP Range within an IPv6 /48 per 3 hours. Hitting either account rate limit is very rare, and we recommend that large integrators prefer a design using one account for many customers.

So you might hit the 10 accounts per IP Address per 3 hours limit if you generate your 20 allowed certs per Registered Domain per week at once on the same host, or more probably if you use test certificates (because these too register new accounts, whose keys are wiped when you switch to production certificate). I use my own modified version of this project to circumvent this (it attempt to re-use a single account key for all domains and certificates).

I'm thinking of mounting the volumes from a distributed file system (EFS), is their another solution / best practice ?

Take a look at Docker Volume plugins.

[pascal-linux]

Hi,
I am using frontproxy and your great letsencrypt-companion for several docker instances on one host.
I am having a comparable question / problem:
How should I indicate within the docker-compose.yml the main domain if I use several subdomains (in different dockers) based on the same second level domain?
Example:
Docker 1 : docker-compose.yml: <Application 1>
...
- VIRTUAL_HOST=example.de,sub1.example.de,sub2.example.de
- LETSENCRYPT_HOST=example.de,sub1.example.de,sub2.example.de
...
Docker 2 : docker-compose.yml: <Application 2>
...
- VIRTUAL_HOST=example.de,sub3.example.de,sub4.example.de
- LETSENCRYPT_HOST=example.de,sub3.example.de,sub4.example.de

((This could even be more complicated if I also want "example.com" to point to the same host/docker, i.e.
- VIRTUAL_HOST=example.de,example.com,sub3.example.de,sub4.example.de,sub3.example.com,sub4.example.com
- LETSENCRYPT_HOST=example.de,example.com,sub3.example.de,sub4.example.de,sub3.example.com,sub4.example.com

My problem is that when the SSL is created for the "application 2" the SSL-certificates for "application 1" gets lost / is no longer valid.

Maybe it is not OK to set the "main domain" (example.de and/or example.com) as first entries in both docker-compose??

Thanks a lot,
Pascal