Boulder: Add an Hourly Duplicate Certificate Rate Limit

Created on 22 Dec 2020  路  3Comments  路  Source: letsencrypt/boulder

Per the discussion in the Let's Encrypt Community and @aarongable's recommendation seen here:

https://community.letsencrypt.org/t/add-an-hourly-duplicate-certificate-rate-limit/139264

Most helpful comment

I really think this would be very useful. Right now the rate limits kind of serve two pretty different purposes:

  • Let people know that there is some cost to issuing new certificates and that limits exist
  • Prevent actual abuse and disruption, whether intentional or unintentional

The same rate limits are serving both purposes, leading to very unpleasant surprises for people who didn't know that they existed. Those people frequently show up on the forum, sometimes pretty stressed out, and usually community members criticize them somehow (like "you should have known", "you should have read the documentation", etc.). I don't think all of this criticism is necessarily wrong or inappropriate, and much of it may be compatible with the forum's norms and standards, but there is no reason that this needs to be so many people's first experience with Let's Encrypt.

If we had an hourly limit that was lower than, and additional to, the weekly limit, significant numbers of people who simply had no idea that there was any limit at all would find out much sooner, and at a moment when they were much better positioned to act on this information. And all of their interactions and learning about it could be quite a bit more pleasant for everyone involved, like "yes, there is a rate limit and you'll need to learn about it and plan for it鈥攜ou can spend the next 40-50 minutes doing so, and then you'll be able to issue certificates again".

All 3 comments

Issue reopened at @schoen's recommendation per need observed in the community.

https://community.letsencrypt.org/t/soft-rate-limit/147681

I really think this would be very useful. Right now the rate limits kind of serve two pretty different purposes:

  • Let people know that there is some cost to issuing new certificates and that limits exist
  • Prevent actual abuse and disruption, whether intentional or unintentional

The same rate limits are serving both purposes, leading to very unpleasant surprises for people who didn't know that they existed. Those people frequently show up on the forum, sometimes pretty stressed out, and usually community members criticize them somehow (like "you should have known", "you should have read the documentation", etc.). I don't think all of this criticism is necessarily wrong or inappropriate, and much of it may be compatible with the forum's norms and standards, but there is no reason that this needs to be so many people's first experience with Let's Encrypt.

If we had an hourly limit that was lower than, and additional to, the weekly limit, significant numbers of people who simply had no idea that there was any limit at all would find out much sooner, and at a moment when they were much better positioned to act on this information. And all of their interactions and learning about it could be quite a bit more pleasant for everyone involved, like "yes, there is a rate limit and you'll need to learn about it and plan for it鈥攜ou can spend the next 40-50 minutes doing so, and then you'll be able to issue certificates again".

I agree @schoen. While I do support self-reliance, I'm not a fan of the "why didn't you RTFM?" and "go RTFM!" approaches. I'm especially not a fan of handing-down a one-week "sentence" to the less-informed (complete with "parole-workaround").

Was this page helpful?
0 / 5 - 0 ratings

Related issues

rolandshoemaker picture rolandshoemaker  路  5Comments

cpu picture cpu  路  4Comments

cpu picture cpu  路  4Comments

standenemy picture standenemy  路  5Comments

pauladams8 picture pauladams8  路  4Comments