Let's Encrypt Reference Sheet

This page documents useful reference information regarding the specifics of the Let's Encrypt CA (LE) service.

Rate Limits

Full details can be found here.

Metric	PROD	STAGE
Certs/Registered Domain/Week	20	30,000
Duplicate Certificate/Week	5	30,000
Max Registrations/IP Address/Hour	500	500
Max Pending Authorizations	300	300

• LE uses a sliding window for rate limiting so if you hit a rate during the week, the limit will be relaxed one week after the metric started accumulating -- not from time you hit the limit.
• Registered domains are the part of the domain you pay for to a registrar as calculated by the Public Suffix List.
• Certs are considered Duplicate Certs if they have the exact same names ignoring case and ordering.

Feature Limitations

Feature	PROD	STAGE
SAN Names/Cert	100	100

ACME Protocol Divergences

The Boulder CA server that power the LE project diverges from the ACME Spec in a few areas.

The complete list can be found here:

• Boulder ACME Divergences

Some notable differences from this list:

• Boulder does not allow tel URIs in the registrations contact list.
• Boulder does not implement the status, applications or certificates fields in the registration object.
• Boulder does not implement the new-application resource. Instead it implements new-cert.
• Boulder does not provide a Retry-After header when a user hist a rate-limit.
• Boulder uses a modifies style of key roll-over.
• Boulder does not implement the reason field for the revoke-cert endpoint and defaults to unspecified for all requests.
• Boulder implements tls-sni-01 and not tls-sni-02 validation method.
• Boulder does not implement oob-01 validation method.