[Common Issue] Are there rate limits when provisioning SSL/TLS certificates using Netlify?

Yes, there are rate limits, and they apply to both the creation and modification of SSL/TLS certificates. We use Let’s Encrypt to provision SSL certificates and they have a strict rate limit policy.

So, how does the SSL/TLS certificate rate limit affect you when using Netlify?

Well, if the limit is reached, the SSL/TLS certificate cannot be changed for seven days. Obviously, this is not ideal, so avoiding reaching the limit is very strongly encouraged! Thankfully, there are workarounds.

First, let me explain more about the two most important limits affecting you when using Netlify.

Limit of Five (5) Requests per Week per List of Domain Names

  • Netlify cannot request a certificate for the exact same list of names more than five times in a week.

This generally only occurs when you try to provision a certificate and the DNS settings are wrong. If you try to get a certificate repeatedly before the DNS settings are correct, you might hit this limit.

In this case, any other attempts for the next seven days will be automatically rejected. New requests will be allowed again after a week has passed, not before. As a result it is very important to have correct DNS records before updating the SSL/TLS certificate.

Also, please note that ‘correct’ - in this case - means taking into account that any old/incorrect DNS records have timed out. If you update your DNS settings, please wait for any old records to expire before attempting to update the certificate.

Limit of Twenty (20) Request per Week Per Individual Domain Name

Netlify cannot request a certificate for any one domain name (even if it is part of a larger list) more than twenty (20) times in a week.

If this happens, it results in a week’s long lockout for any new requests.

This most commonly happens in cases you set up a site (let’s say example1.com), and then try to add more than nineteen (19) domain aliases one by one (example2.com, example3.com, … example20.com).

Again, this is a per week limit so if the aliases are added weeks apart, the rate limit won’t apply. But if these are all requested in less than a week the rate limit will be reached. In some cases, if time allows, the solution is to only add nineteen (19) aliases per week.

So, what can I do to avoid reaching the rate limit?

Now is the time for those promised workarounds to reduce likelihood of this happening (or prevent it altogether)! The solutions are mentioned above and, for clarity, summarized below.

The best ways to avoid hitting the rate limit for the SSL/TLS certificates are:

  • Always make sure that the DNS records are correct and that their TTL has expired before entering the names into the Netlify UI

    • The most common way to test the DNS records are correct is using a lookup tool (like nslookup or dig) to queries for the DNS record(s) and manually verify them. The DNS records for the new domain names (the aliases) will need to point to the correct sub-domain at Netlify. This topic is explained in more detail here in our public docs
  • Only add nineteen (19) or fewer aliases per week to a single domain. If you need to add more aliases, the options include:

    • If time allows, add them over time and add no more than nineteen (19) per week.
    • Contact Netlify to have us add all the domain aliases at once.

If there are questions, please comment below!

1 Like

Could maybe put a warning about this on the edit custom domain pop up to prevent people wrecking their site for a week?

image

How did you manage to wreck your site for a week? Did you change your custom domain to the same thing 5 times in a row?

Changed it once, immediately got this: