[8organicbits]

> Free CAs like letsencrypt do have rate limits that we would frequently hit with autoscaling environments, CI jobs, and such.

You're expected to design around that. Deploying should never create a new certificate, those should live in secure storage and get deployed when needed.

The main rate limit also doesn't apply to renewals, so you could potentially issue N*50 domain names on your Nth week using Let's Encrypt.

"Renewals are treated specially: they don’t count against your Certificates per Registered Domain limit." - https://letsencrypt.org/docs/rate-limits/

If you need to issue certificates for new domains at a higher rate, you're very likely a large company that can afford to pay some money for any excess certificates you need. Failing over to ZeroSSL (zerossl.com) on rate limiting should be an easy engineering task since both use the ACME API.