Pantheon Community

More specific SSL certs to avoid Let's Encrypt rate limitations affecting non-Pantheon sites

We have a number of sites on Pantheon, some of which occasionally need to interact with a separate front end hosted elsewhere. These front end sites may have the same top level domain and all use Let’s Encrypt.

Pantheon’s documentation has a note about Let’s Encrypt rate limits: https://pantheon.io/docs/https#addressing-lets-encrypt-rate-limits

Using https://letsdebug.net/ we can see what sites contribute towards the rate limit. For one of our sites, there are 2 certificates which contribute towards the rate limit, both with 97 hostnames. (The same 97 hostnames in fact.)

Pantheon requests a certificate for *.pantheonsite.io host names as well as client host names, but an SSL certificate is not required for a CNAME’s destination.

Could Pantheon provide the option to only request certificates for client supplied hostnames? With the caveat that it might mean a little downtime for the HTTPS version of a website while it’s provisioning.

1 Like

I’m not sure what the implications would be for Pantheon’s infrastructure. It would need to request new individual certificates rather than adding subject alternative names (SAN).

1 Like

One more question: when Pantheon adds a SAN, is that another full certificate renewal which counts towards the rate limit? If this happens a few times a week it could cause problems.

1 Like

I just purchased the third party cert wildcard and stopped using let’s encrypt.

1 Like

As I understand it this issue will be resolved in the near future, but the solutions outlined in the doc are the best options right now

2 Likes

Good to hear, thanks Doug.

Good idea, we may do that with some of our clients if it’s required.