Advice about rate limit

Can someone clarify what the situation is with the rate limit if I didn’t succeed in renewing a cert… It seems to suggest that if I renew too often it will be blocked for a week, which seems extreme, but I guess it makes sense…

I’ve been hit by having an old client, which did not support the new validation certificate, and after installing the new certbot I found I did not have the correct python modules etc, and then I discovered that I could not renew because the old standalone tool uses only https, and so I did not redirect http… I have a single machine with a mail server and web server in different containers… so I have to redirect the web ports to the mail container during renewal… but since the old “standalone” tool only uses https, I only redirected https…

After a few attempts to get things to renew, updating the client, and the python modules etc… I realised that the client was now looking at http as well as https and perhaps getting the other container… but 5 attempts in an hour when debugging these changes is not a lot, and it says I am rate limited.

Does this mean that I cannot renew the cert for a week, or is that longer limit only applied if the cert is renewed successfully?..

What should I do here?.


In this case is 5 attempts per hour and you can try again in next hour (However if you failed again, then next next hour)

I strongly advise you try to issue a certificate in staging instead of real environment to avoid more rate limit and blocking

add flag --staging for staging environment certificates

Thank you

1 Like

That's also the case. As @stevenzhu said, the limit you hit only lasts for an hour. The weekly limit is based on successful cert issuance.

1 Like

OK, It seems I had to change some of the settings since it really did not like the certificate I had before and would not renew it!..

However, I now have 2 certs one with a -0001 on the end… am I safe to remove the old one, and re-name this one without the -0001 if I also rename the .conf file under the renew folder?.. is there anything else I would need to tidy up?

Not sure if I need to clean up the old cert if it can’t be renewed, and I’d rather not end up editing the server configuration to cater for 0001 0002 etc on things?

You can delete the old one with certbot delete --cert-name oldcertname.

If you want to rename the -0001 certificate, there are a lot of things that have to get renamed internally, so that might be a little tricky, although I can give you a list of them.

@erica, there isn’t a command-line interface to the internal lineage rename() as a result of CMIP, is there? I didn’t happen to see one anywhere in the parser or the documentation.

Perhaps it’s easier to delete both of them and start again?.. If I delete it tho, how does it tell which of them to delete, since the numeric bit isn’t part of the cert name… if I delete one does it delete the oldest, or does the delete actually need the number to be included?

My problem is that this is a stand alone certificate and there’s 3 different applications with configurationss pointing to it those folders, so I really don’t want the name to be changing…

The cert name in this case as understood by --cert-name is the directory name in /etc/letsencrypt/live (among other things), so it does include the -0001. You can see a list of the certificates with their names by running certbot certificates.

There is another alternative, which is to reissue the old certificate "in place" with a different set of names. If you're not close to exceeding the certificates per registered domain rate limit, that might be the simplest solution of all. This can be done with certbot certonly --certname and a -d for each name that you want it to cover. (Note that in this case you would provide a complete list of domain names that should be covered, including existing ones, not just new ones.)

There is no rename subcommand in shipped code. We had it implemented briefly but removed it before ever shipping because of UX problems.

Thanks very much for the help, and tolerance for an obviously in-experienced user… I’m back up and running now… :slight_smile:

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.