Hi,
we use lego to request a single letsencrypt certificate that contains 5 hostnames (SANs) and we consistently run into a request limit.
lego error message:
desec: failed to create records: domainName=acme-dns-challenge.applied-privacy.net, recordName=doh-appliedprivacy-net: error: 429: {\"detail\":\"Request was throttled. Expected available in 1 second.\"}"]}
Since we do not hit any of these documented LE limits
I assume this is a limit by the deSEC API.
What is the best option to workaround this issue since 5 SANs should not be that problematic, right?
I was also not able to find any documentation at https://desec.readthedocs.io/
about the rate limits of the deSEC API.
That’s our DNS API rate limit (for write operations). The limits we put into effect initially are indeed quite conservative, and we intended to relax them on demand. So, here you go! We’ll deploy it once the internal review went through (should be early next week).
The rate limit is for DNS write operations per second per account. Bulk requests are counted only once.
It is correct that all requests are domain-specific, so you will need to do several requests when answering ACME challenges for several domains.
Our backend works with PowerDNS, and there is currently no way to make cross-domain requests reliable, in the sense that they either all succeed, or the requests fail completely if one subtask fails. For the details, see this PR discussion. Thus, no matter how we set the rate limit, the general problem persists.
At the moment, there are two ways forward:
create certificates per domain (is there are compelling reason not to do that?)
@peter maybe those limitations have to be added in the API documentation, because the issue on lego was a bit surprising to me.
I’m sure that you have reasons behind this rate limit, but 200ms is very slow from the point of view of an HTTP client and for a DNS API.
Also this kind of rate limiting per second can be an issue with concurrency calls or multiple API clients: in this case it’s impossible to sleep 200ms between two calls.
Could you explain this rate limit per second instead of only a rate limit per minute and per hour?
The rate limit is per second because we would like to minimize the chance of concurrent requests for changes on the same domain, as PowerDNS doesn’t handle that scenario very well (we ran into related problems in the past). It would, of course, be better to enforce limits by domain (not by account), but we haven’t gotten around to implementing that. I created an issue for it.
On this occasion: Rate limits for DNS write operations have been changed to be per-domain in the meantime (they are no longer per account).
Regarding the per-second rate limits, we think that it’s feasible for a smart client to know which requests it is going to make within the next second, and to aggregate these requests into a bulk request. As far as the rate limit is concerned, such bulk requests are counted once (per domain). This means that you can limit requests to ~1/s by making proper use of bulk requests, and as a result, the rate limit won’t get in your way.