Allow issuing a certificate for multiple domains even if limit is reached for one or several

We've been trying to be very efficient when it comes to issuing Let's Encrypt certificates. We have around 15 domains added to one certificate. Yet, when trying to add another one, extending process fails since there is a limit for an existing domain on

Too many certificates already issued for:

There are 2 problems here:

  1. should be added to PublicSuffix and it is wrong that it's not there
  2. the process fails for all domains since it failed for one domain

It is clear that should be added to PublicSuffix and it's in process of being approved. The feature i'm requesting is:

When issuing or requesting a certificate for more than X domains, even if Y limits are reached, allow the certificate issuing.

The logic behind it - even if a person abuses Let's Encrypt with one domain, it is still way more efficient to satisfy the request for all the other domains, which, in exchange, saves a lot of resources in order to issue a certificate for all the domains, compared to issuing certificates one-by-one for every domain.

Moreover, the occurring errors actually encourage admins to break-up the certificate into per-domain certificates in order to lower the risks of errors, which is a bad practice in terms of user experience and resources allocated.

Only the owners of that domain can handle the process. If they are doing so and it fits the purpose of the PSL, it will be added and eventually the update to that will get to the LE servers.

The problem is that it's not more efficient. Keep in mind that for every certificate issued, LE has to provide an OCSP response until the certificate expires. This includes revoked certificates and ones that were replaced by the end user. In that last case, LE has no way to know the certificate is not in use and is still bound to answer for it in the case it is used.

I'm not sure what user experience you're talking about, the end user browsing the site won't notice and changes. The system managers would need to plan better, though.

The resources on the LE end would probably be about the same either way, since they still have to sign OCSP responses for the old certificates until they expire. You'd have roughly the same number of valid certificates either way.


At the moment I see in the list
This fact is sufficient to support the domain in Let’s Encrypt? If yes, how soon can we expect support?


Probably the end of this week - from Too many certificates for

1 Like

@serverco's answer covered the "when" (Thanks!).

It isn't sufficient for a fix to have landed in the Publis Suffic List for it to be active for Let's Encrypt issuance. For that to happen the update also needs to percolate to the publicsuffix-go library we use, to the Boulder master branch, and then to staging & production deploys. I recommend you subscribe to our status page and follow the thread that @serverco listed for more updates towards the end of this week.


1 Like

@bulgaru, @gg1 - Thanks for waiting. The Boulder release with the updated PSL is in production. You should be able to issue for domains without issue. Please let us know if you’re still experiencing the reported error.

Thanks again for your patience!

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.