[pfg]

This is about custom domains, not subdomains of wordpress.com (they're using a wildcard cert for that, and have been for years).

Rate limits aren't much of an issue in that scenario unless someone has more than 20 separate subdomains set up as a WordPress.com blog under the same domain. Even then, you could theoretically get 20 * 100 subdomains covered every week if you're smart about which domains you combine on a single SAN certificate.

[anarcat]

Those are the rate limits, as far as I understand them:

* 100 Names/Certificate (how many domain names you can include in a single certificate) * 5 Certificates per Domain per week * 500 Registrations/IP address per 3 hours * 300 Pending Authorizations/Account per week

It seems to me that WP.com could reach at least one of those... So I was curious to hear how they were doing that.

And yes, I was wondering if they would replace the *.wp.com wildcard - i guess not...

[pfg]

The rate limits have been changed to 20 certificates per domain per week recently.

The registrations/IP rate limits aren't really a problem - WordPress could, in theory, run their entire Let's Encrypt infrastructure using one registration (account).

Pending authorizations shouldn't be much of an issue given that all custom domains are CNAMEs pointing to their servers, so they should be able to solve all challenges.

(By the way: If you're building a large integration, Let's Encrypt can change the rate limits for you.)