SSL/TLS · Rate Limits

Ssl Tls Rate Limits

Multi-vendor category covering ACME and CA-issuance APIs. Let's Encrypt publishes concrete per-account, per-IP, and per-domain limits on the ACME v2 endpoint; DigiCert and Sectigo gate API throughput per partner contract and do not publish numeric per-second limits. Numbers below are sourced from Let's Encrypt's public rate-limit documentation.

Ssl Tls Rate Limits is the machine-readable rate-limit profile for SSL/TLS on the APIs.io network, conforming to the API Commons Rate Limits specification.

It captures 7 rate-limit definitions, measuring certificates, accounts, orders, failures, and varies.

The profile also includes 3 backoff/retry policies defined and response codes documented for throttled and rateLimited.

Tagged areas include SSL/TLS, TLS, Certificates, PKI, and Certificate Authority.

7 Limits Throttle: 429
SSL/TLSTLSCertificatesPKICertificate AuthorityRate Limiting

Limits

Let's Encrypt - Certificates per Registered Domain registered-domain
certificates · week
50
Refills at 1 certificate per 202 minutes. Override available via Let's Encrypt rate-limit override form.
Let's Encrypt - Duplicate Certificates identifier-set
certificates · week
5
Same exact set of identifiers; refills at 1 certificate per 34 hours.
Let's Encrypt - New Accounts per IP IP
accounts · 3h
10
Refills at 1 account per 18 minutes. No overrides available.
Let's Encrypt - New Orders per Account account
orders · 3h
300
Refills at 1 order per 36 seconds. Overrides available upon request.
Let's Encrypt - Failed Validations per Account per Identifier account/identifier
failures · hour
5
Refills at 1 per identifier every 12 minutes. No overrides available.
DigiCert Services API account/contract
varies
per partner contract; not publicly documented
DigiCert gates API throughput through the partner agreement; consult your account team.
Sectigo Certificate Manager API account/contract
varies
per partner contract; not publicly documented
Sectigo enforces throughput per Cert Manager license; consult your account team.

Policies

ACME Backoff
Let's Encrypt returns 429 with a Retry-After header (sometimes embedded in the error message as 'retry after '); ACME clients (certbot, lego, acme.sh) honor this automatically and retry at the indicated time.
Staging Environment First
Let's Encrypt strongly recommends developing against the staging endpoint (acme-staging-v02.api.letsencrypt.org) where rate limits are much higher, before pointing automation at production.
Override by Request
New-orders-per-account and certificates-per-registered-domain caps can be raised via Let's Encrypt's public rate-limit override form for organizations with documented legitimate need. Account-per-IP and failed-validation caps cannot be overridden.

Sources