Pantheon Community

More specific SSL certs to avoid Let's Encrypt rate limitations affecting non-Pantheon sites

We have a number of sites on Pantheon, some of which occasionally need to interact with a separate front end hosted elsewhere. These front end sites may have the same top level domain and all use Let’s Encrypt.

Pantheon’s documentation has a note about Let’s Encrypt rate limits:

Using we can see what sites contribute towards the rate limit. For one of our sites, there are 2 certificates which contribute towards the rate limit, both with 97 hostnames. (The same 97 hostnames in fact.)

Pantheon requests a certificate for * host names as well as client host names, but an SSL certificate is not required for a CNAME’s destination.

Could Pantheon provide the option to only request certificates for client supplied hostnames? With the caveat that it might mean a little downtime for the HTTPS version of a website while it’s provisioning.

1 Like

I’m not sure what the implications would be for Pantheon’s infrastructure. It would need to request new individual certificates rather than adding subject alternative names (SAN).

1 Like

One more question: when Pantheon adds a SAN, is that another full certificate renewal which counts towards the rate limit? If this happens a few times a week it could cause problems.

1 Like

I just purchased the third party cert wildcard and stopped using let’s encrypt.

1 Like

As I understand it this issue will be resolved in the near future, but the solutions outlined in the doc are the best options right now


Good to hear, thanks Doug.

Good idea, we may do that with some of our clients if it’s required.