[Acme] Rate limits and ACME
Felipe Gasper <felipe@felipegasper.com> Tue, 23 July 2019 21:14 UTC
Return-Path: <felipe@felipegasper.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9E8CF12039B for <acme@ietfa.amsl.com>; Tue, 23 Jul 2019 14:14:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=felipegasper.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EtwFAIyYvVy3 for <acme@ietfa.amsl.com>; Tue, 23 Jul 2019 14:14:42 -0700 (PDT)
Received: from web1.siteocity.com (web1.siteocity.com [67.227.147.204]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E7DEA1202C3 for <acme@ietf.org>; Tue, 23 Jul 2019 14:14:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=felipegasper.com; s=default; h=To:Date:Message-Id:Subject:Mime-Version: Content-Transfer-Encoding:Content-Type:From:Sender:Reply-To:Cc:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=qyDCXRV0ZC/bJEBSF6ioCwYDd+4Yo1aaRuNphf6ZY2c=; b=D49HVzkcXDCb2ZgfcDBN7rapm0 5gQtB5JdV3eduH6ujHhN1dazdK0LRNBOn0SFnQboTddC0UrSl4O4e2K9a5KUpIIaB+Un5ZwSaowXd cLJ7JXvIkxce3ORnJPpgB5M14YS+oP7YxewmpcmCPCGHCxpomFbeLuZTqmhXlE06B6zM9CvwGdRte IiLf1lWMge2SMnv+WhAKPJPSMBXPyY5X/Bl4kNumls9BFE6wq15QIgZ0adrpw3J/eqXWfEheZH/7d giSIKMmL4LOF87zsattHSFwyqWfb0TbhNpZnsvjFsejaANkIKNfNrgjgQNGW3EzKCDM8tF/8bQCuU yz5kBLQQ==;
Received: from hou-2.nat.cptxoffice.net ([184.94.197.2]:58327 helo=[10.3.5.126]) by web1.siteocity.com with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92) (envelope-from <felipe@felipegasper.com>) id 1hq27L-000LgJ-P9 for acme@ietf.org; Tue, 23 Jul 2019 16:14:40 -0500
From: Felipe Gasper <felipe@felipegasper.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Message-Id: <611F1865-48C1-4F4F-B819-5D86E84EF620@felipegasper.com>
Date: Tue, 23 Jul 2019 17:14:37 -0400
To: IETF ACME <acme@ietf.org>
X-Mailer: Apple Mail (2.3445.104.11)
X-OutGoing-Spam-Status: No, score=-1.0
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - web1.siteocity.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - felipegasper.com
X-Get-Message-Sender-Via: web1.siteocity.com: authenticated_id: fgasper/from_h
X-Authenticated-Sender: web1.siteocity.com: felipe@felipegasper.com
X-Source:
X-Source-Args:
X-Source-Dir:
X-From-Rewrite: unmodified, already matched
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/czvbYRqFfWgYMN-_3QqSur_lWUw>
Subject: [Acme] Rate limits and ACME
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Jul 2019 21:14:44 -0000
Hello, https://community.letsencrypt.org/t/programmatically-distinguishing-rate-limits/97986/14 ^^ W/r/t this LE forum thread, what would be involved in proposing an ACME extension that provides a reliable, machine-parsable mechanism to distinguish one rate limit from another? My specific use case is: the client I’m building iterates through users on a system and requests certificates as needed: e.g., a newly-added domain, expired certificate, etc. On a server that has just enabled automatic certificate generation (or even has just transferred in a user with hundreds of domains) this will easily run up against Let’s Encrypt’s rate limit of 300 certificate orders per 3-hour timespan. We could throttle that locally, but the software we publish runs on servers that we don’t administer, so if an admin has requested an adjustment to that rate limit (as I suspect many will), we’ll either complicate those admins’ lives by making them keep a local configuration in sync manually with their LE account, or hard-code 300-per-3hrs and deny them the benefit of their raised raite limit, which is even worse. So the solution we’re looking at right now is that we request certificates until we hit that specific orders-per-3hrs rate limit, then we stop (until the next cron-scheduled run). This way, from the admin’s perspective, stuff Just Works™. But that is the *only* rate limit that we want to treat that way; since all of the other rate limits concern specific domains, we treat those as nonfatal since a rate limit error for one domain likely won’t affect others. The problem is that right now, the only way we have of identifying that specific rate limit is to look for the string “too many new orders” in the error document’s “detail”. It’s awfully brittle, but there’s apparently no other way. An ACME extension to solve this, then, seems worth proposing. Thoughts? Thank you! -Felipe Gasper Mississauga, Ontario
- [Acme] Rate limits and ACME Felipe Gasper