# Let's Encrypt rate-limit planner

> Plan certificate issuance for a set of hostnames: group them by registered domain and see how they map onto Let's Encrypt's rate limits.

- Tool: https://ronutz.com/en/tools/letsencrypt-rate-limits
- Family: Certificates & PKI

---

## What it does

Paste the list of hostnames you plan to put on Let's Encrypt certificates, and this tool groups them by **registered domain** (eTLD+1) and shows how they map onto Let's Encrypt's issuance limits. It tells you the fewest certificates the set needs, flags where a wildcard would collapse several subdomains, and warns when a naive one-certificate-per-name approach would exceed the weekly per-domain limit. Everything runs locally in your browser; nothing is sent anywhere.

## Why the registered domain matters

Let's Encrypt's headline limit counts new certificates against the **registered domain**, not each hostname. So `www.example.com`, `api.example.com`, and `blog.example.com` all draw from a single weekly budget under `example.com`. The tool computes that grouping with the Public Suffix List, so it is correct even for multi-label suffixes: `shop.example.co.uk` and `www.example.co.uk` group under `example.co.uk`, three labels deep, not `co.uk`. Getting this boundary wrong is the usual reason people are surprised by a rate-limit error.

## What it computes

For each registered domain it shows the count of intended names (against the per-domain weekly limit), the fewest certificates needed if you pack up to 100 names per certificate, and any **wildcard candidates**: a parent with two or more direct subdomains, which a single `*.parent` name could cover instead. The summary totals the names, the distinct registered domains, and the minimum certificates across everything, and raises a warning if any one registered domain would exceed the weekly limit when issued one certificate per name. IP-address inputs are listed separately, since they use their own unit, and anything that is not a valid hostname (including a bare public suffix like `co.uk`) is called out.

## The limits it uses

The numbers shown are a dated, sourced snapshot of Let's Encrypt's published limits: 50 new certificates per registered domain per 7 days, 300 new orders per account per 3 hours, 5 certificates for the same exact set of names per 7 days, and up to 100 names per certificate. The single most useful fact for planning is that **renewals coordinated by ARI are exempt from all rate limits**, so once you are issued, keeping certificates renewed is not a rate-limit concern. Because Let's Encrypt can change these numbers, the tool shows the snapshot date and links the source; check that page for the current values before relying on a tight margin.

## Standards and references

- [Let's Encrypt — Rate Limits](https://letsencrypt.org/docs/rate-limits/) - the concrete production limits: 50 certs/registered-domain/7d, 300 orders/account/3h, 5/exact-set/7d, and the registered-domain = eTLD+1 (PSL) definition
- [Let's Encrypt — Integration Guide](https://letsencrypt.org/docs/integration-guide/) - the up-to-100-names-per-certificate issuance policy
- [Public Suffix List — publicsuffix.org](https://publicsuffix.org/list/) - the registered-domain grouping (eTLD+1) that the per-domain limit counts against

## Related reading

- [ACME on BIG-IP: from DevCentral scripts to a native client](https://ronutz.com/en/learn/bigip-acme-certificate-automation.md): How Let's Encrypt and other ACME certificate automation works on F5 BIG-IP: the native ACMEv2 client introduced in BIG-IP 21.1.0 (provisioning, renewal, and deployment for any ACMEv2 CA), the community dehydrated-based solutions that came before it, BIG-IQ's centralized Let's Encrypt CA management profile, and where the shared ACME concepts and rate limits fit.
- [ACME on FortiGate: a built-in client for the box's own certificate](https://ronutz.com/en/learn/fortigate-acme-certificate-automation.md): How FortiOS's native ACME support obtains and renews a Let's Encrypt certificate for the FortiGate itself: the public-IP and FQDN requirements, the single-name SAN constraint, the TLS-ALPN-01 and HTTP-01 challenges (and which FortiOS versions support them), the GUI and CLI configuration, and how this differs from BIG-IP's native client.
- [Let's Encrypt: the free CA and its rate limits](https://ronutz.com/en/learn/lets-encrypt.md): What Let's Encrypt is, why its certificates are short-lived, and how its rate limits actually work: the per-registered-domain and per-account limits, the exact-set and authorization-failure limits, and why ARI renewals are exempt from all of them.
