We have a number of sites on Pantheon, some of which occasionally need to interact with a separate front end hosted elsewhere. These front end sites may have the same top level domain and all use Let’s Encrypt.
Pantheon’s documentation has a note about Let’s Encrypt rate limits: https://pantheon.io/docs/https#addressing-lets-encrypt-rate-limits
Using https://letsdebug.net/ we can see what sites contribute towards the rate limit. For one of our sites, there are 2 certificates which contribute towards the rate limit, both with 97 hostnames. (The same 97 hostnames in fact.)
Pantheon requests a certificate for *.pantheonsite.io host names as well as client host names, but an SSL certificate is not required for a CNAME’s destination.
Could Pantheon provide the option to only request certificates for client supplied hostnames? With the caveat that it might mean a little downtime for the HTTPS version of a website while it’s provisioning.