SSL/TLS · Rate Limits
Ssl Tls Rate Limits
Multi-vendor category covering ACME and CA-issuance APIs. Let's Encrypt publishes concrete per-account, per-IP, and per-domain limits on the ACME v2 endpoint; DigiCert and Sectigo gate API throughput per partner contract and do not publish numeric per-second limits. Numbers below are sourced from Let's Encrypt's public rate-limit documentation.
7 Limits
Throttle: 429
SSL/TLSTLSCertificatesPKICertificate AuthorityRate Limiting
Limits
Let's Encrypt - Certificates per Registered Domain registered-domain
50
Refills at 1 certificate per 202 minutes. Override available via Let's Encrypt rate-limit override form.
Let's Encrypt - Duplicate Certificates identifier-set
5
Same exact set of identifiers; refills at 1 certificate per 34 hours.
Let's Encrypt - New Accounts per IP IP
10
Refills at 1 account per 18 minutes. No overrides available.
Let's Encrypt - New Orders per Account account
300
Refills at 1 order per 36 seconds. Overrides available upon request.
Let's Encrypt - Failed Validations per Account per Identifier account/identifier
5
Refills at 1 per identifier every 12 minutes. No overrides available.
DigiCert Services API account/contract
per partner contract; not publicly documented
DigiCert gates API throughput through the partner agreement; consult your account team.
Sectigo Certificate Manager API account/contract
per partner contract; not publicly documented
Sectigo enforces throughput per Cert Manager license; consult your account team.
Policies
ACME Backoff
Let's Encrypt returns 429 with a Retry-After header (sometimes embedded in the error message as 'retry after '); ACME clients (certbot, lego, acme.sh) honor this automatically and retry at the indicated time.
Staging Environment First
Let's Encrypt strongly recommends developing against the staging endpoint (acme-staging-v02.api.letsencrypt.org) where rate limits are much higher, before pointing automation at production.
Override by Request
New-orders-per-account and certificates-per-registered-domain caps can be raised via Let's Encrypt's public rate-limit override form for organizations with documented legitimate need. Account-per-IP and failed-validation caps cannot be overridden.