<b>Why are Let's Encrypt's rate limits structured around the registered domain, not the hostname?</b>

<b>Why are Let's Encrypt's rate limits structured around the registered domain, not the hostname?</b>

Let's Encrypt's rate limits are often hit by automation gone wrong, and operators misread them as per-certificate caps. They are not. The limits are deliberately keyed to the registered domain — the eTLD+1 derived from the Public Suffix List — and that design choice reveals what the CA is actually defending against.

The headline limit, Certificates per Registered Domain (50 per week historically), counts certificates issued for example.com and every subdomain under it together. Why this granularity? Because the abuse the CA must prevent is a single controlled domain spinning up unlimited subdomains (a.example.com, b.example.com...) to mint unlimited free certificates for phishing or to exhaust CA resources. A per-hostname limit would be trivially evaded by generating new hostnames; the eTLD+1 is the unit of ownership, so it is the unit of accounting.

The Public Suffix List (PSL) is load-bearing here. It encodes that github.io is a public suffix, so user1.github.io and user2.github.io are independent registered domains, not shared — otherwise one popular hosting platform would consume the entire limit for all its users. The PSL is how the CA distinguishes "one owner with many subdomains" from "many owners under one platform."

Evidence vs. speculation: the registered-domain keying and PSL dependence are documented in Let's Encrypt's rate-limit policy; the duplicate-certificate and failed-validation limits exist specifically to absorb buggy automation retry loops.

<b>Further reading:</b> Let's Encrypt rate-limits documentation; publicsuffix.org; RFC 8555 §6.6 (errors).

<b>Bottom line:</b> Limits track the registered domain because that is the true unit of ownership and abuse — design your automation to batch SAN names into fewer certificates and to honor the failed-validation cap, since the CA is counting per-owner, not per-host.