SM2 ACME Service Rate Limits

Last updated: Jan. 06, 2023

SM2 ACME Service provides rate limits to ensure fair usage by as many people as possible. We believe these rate limits are high enough to work for most people by default. We’ve also designed them so renewing a certificate almost never hits a rate limit, and so that large organizations can gradually increase the number of certificates they can issue without requiring intervention from SM2 ACME Service.

If you plan to develop or test a SM2 ACME client, please wait for us to open the API document, because SM2 ACME does not fully adopt the international ACME standard (RFC 8555). International standards can only apply for a single RSA or ECC algorithm SSL certificate. We have dual-algorithm multi-SSL certificate, while the SM2 SSL certificate is a dual-certificate. Therefore, SM2 ACME needs to automatically apply for and automatically configure 3 SSL certificates for users. When we open the API document, we will provide a test environment, and then you can use our test environment instead of the production environment. If you plan to integrate the SM2 ACME service into other platform services, please wait for us to open the API, an integration guide will be provided at that time.

The main limit is Certificates per Registered Domain (10 per week). A registered domain is, generally speaking, the part of the domain you purchased from your domain name registrar. For instance, in the name www.example.com, the registered domain is example.com. In www.example.com.cn, the registered domain is example.com.cn. We use the Public Suffix List to calculate the registered domain. Exceeding the Certificates Per Registered Domain limit is reported with the error message “too many certificates already issued”, possibly with additional details.

You can create a maximum of 10 New Orders per account per hour. A new order is created each time you request a certificate from the Boulder CA, meaning that one new order is produced in each certificate request. Exceeding the New Orders limit is reported with the error message “too many new orders recently”.

You can combine multiple hostnames into a single certificate, up to a limit of 20 Names per Certificate. Exceeding the domain names limit is reported with the error message “too many domains in one certificate”. For performance and reliability reasons, it’s better to use fewer names per certificate whenever you can. A certificate with too many domain names will result in a large certificate file, which will not only slow down the speed of users' access to the website, but also waste your website's traffic and the user's mobile phone traffic.

Renewals are treated specially: they don’t count against your Certificates per Registered Domain limit, but they are subject to a Duplicate Certificate limit of 5 per week. Exceeding the Duplicate Certificate limit is reported with the error message “too many certificates already issued for exact set of domains”. A certificate is considered a renewal (or a duplicate) of an earlier certificate if it contains the exact same set of hostnames, ignoring capitalization and ordering of hostnames. For instance, if you requested a certificate for the names [www.example.com, example.com], you could request four more certificates for [www.example.com, example.com] during the week. If you changed the set of hostnames by adding [blog.example.com], you would be able to request additional certificates.

After the free SSL certificate expires in 90 days, it will be automatically renewed 7 days in advance, and each renewal certificate also follows the limit on the number of certificates. Revoking certificates does not reset rate limits, because the limit of the number of certificates is to limit the number of certificates issued.

The “new-nonce”, “new-account”, “new-order”, and “revoke-cert” endpoints on the SM2 ACME API have an Overall Requests limit of 5 per second. The “/sm2acme” directory & subdirectories have an Overall Requests limit of 10 requests per second.

We have two other limits that you’re very unlikely to run into.

  • You can create a maximum of 10 Accounts per IP Address per 8 hours. Hitting either account rate limit is very rare, we recommend that large integrators prefer a design using one account for many customers. Exceeding these limits is reported with the error message “too many registrations for this IP”.
  • You can have a maximum of 10 Pending Validation orders on your account. Hitting this rate limit is rare and happens most often when developing ACME clients. Reaching this limit usually means that your user is creating a certificate application but has not completed the domain name validation. Generally, it is because the set domain name has not been resolved to the IP address of the server. Please prompt the user to resolve it in time.

Overrides

If you’ve hit a rate limit, we don’t have a way to temporarily reset it. You’ll need to wait until the rate limit expires after a week. We use a sliding window, so if you issued 5 certificates on Monday and 5 more certificates on Friday, you’ll be able to issue again starting Monday. You can get a list of certificates issued for your registered domain by searching on sm2ct.cn, which uses the public SM2 Certificate Transparency logs.

If you are a large hosting provider or organization working on a SM2 ACME Service integration, you can contact us to request a higher rate limit. We will process your application as soon as possible, and the processing result will be notified by email, please pay attention to check it in time.

Clearing Pending Orders

If you have a large number of pending orders and are getting a Pending Orders rate limiting error, the easiest way is to check whether the domain name to be validated and the verification file are ready on the server before submitting the order. If not, do not submit the order. This is how the SM2 ACME client - SM2cerBot handles it.

If you submit an order without verifying that users are ready, there will be a large number of users submitting certificate applications without being ready for domain validation, and you can only wait for the rate limit to end. As described above, there is a sliding window, so this may take less than a week depending on your pattern of issuance.

Note that having a large number of pending orders is generally the result of a buggy client. If you’re hitting this rate limit frequently you should double-check your client code, it is necessary to check whether the order is ready for validation on the client side.