Bypass per domain rate limit if FQDN set was previously issued #1563


#1

I’m hit by the domain rate limit, but this is not a new certificate, but a renewal. I know the reason for the rate limit and can understand why this is needed, but I don’t understand what’s the benefit for applying the limit on renewals, too.

This can break existing setups and render services useless that are trusting Let’s Encrypt to reliably work as soon as it has been set up once. Once again I am very close to run into serious problems because of that issue.

There has been a pull request to disable rate limit for renewals. If I understand this correctly this has been merged already on March 10, but still this issue is unresolved.

Can you please take a look if that code perhaps still needs to be rolled out serverside?

Additionally I thought I would not run into this problem at all since the domain I am using (noip.me from No-IP.com provider), is now on the PSL correctly. It has been added to the PSL on Dec 4th 2015 (https://github.com/publicsuffix/list/pull/64/commits/469ec0746670062e4390c8832e3a8239758e1931)

It there any issue respecting this list?


#2

Probably the best way to get help on your issue will be to actually explain the full circumstances here.

Start by explaining which ACME client you’re using (certbot? gethttpsforfree? letsencrypt.sh ?) and how you’re running it, then it would also be helpful to see the output from a failed run in which you believe you’re “hit by the domain rate limit” and the set of FQDNs for which you were previously issued a certificate can help people to rule out many obvious causes.

If, as is likely, you realise the actual cause of your problem while putting that together, please reply anyway and mark your reply as the solution for this item. Thanks.


#3

There’s still a rate limit on certificates with the exact same FQDN set. Otherwise, a script stuck in an infinite loop could keep requesting the same certificate over and over, exhausting server resources. This rate limit is currently set to 5 per week (which is reasonable, given that you’d be requesting the exact same certificate over and over).

So, some things for you to check, which should be fairly simple using https://crt.sh/:

  • Are you sure you’re requesting a certificate for the exact same FQDN set? That doesn’t simply mean that you’ve previously requested a certificate for the FQDN, but that the set is an exact match - so if you’ve added another domain, or removed/replaced one, that would not be the case.
  • Did your attempt to renew this certificate more than 5 times in the last week? In that case, you’ll need to wait.

You’re correct that no-ip.com is on the Public Suffix List. What that means is that the rate limits apply separately for each subdomain of no-ip.com - i.e. foo.no-ip.com has a counter, bar.no-ip.com has one, etc. You can still run into the rate limits for one of these subdomains, but not for the entire domain no-ip.com.

I hope that makes sense.


#4

Thank you for your fast reply. And sorry, I should have known that these infos are missing from my report.

I am using certbot like this: ./letsencrypt-auto certonly --apache --renew-by-default --domains mydomain.noip.me

Sadly I didn’t save the output. While trying again to get the output, Murphy hit me hard and the update succeeded, of course…

But it was the standard output for rateLmited which I have seen a lot in the past when I tried to renew last time. This would be:

An unexpected error occurred.
Error: rateLimited :: There were too many requests of a given type :: Error creating new cert :: Too many certificates already issued for: noip.me

I don’t want to stress the LE servers by trying renewal again to see if the message occurs. If you think this is okay, I will try some more to get the rateLimited error again, perhaps the next few days then.


#5

I’ve actually misread the PR against the Public Suffix Link you mentioned - it’s not merged yet:


That means the domains are not on the PSL yet, and the overall rate limit applies to no-ip.com (or noip.me in your case).

Still, if you’ve previously had a certificate for the same FQDN set, you shouldn’t be running into any rate limits, unless you’ve attempted renewal at least 5 times in the last week. Can you confirm this is the case, or were any domains added, removed or changed for the failing attempt?


#6

Thank you for the detailled ratelimit explanation for FQDNs. That makes complete sense to me.

I am sure I was requesting the exact same fqdn because I ran letsencrypt-auto through a script which includes all the options including fqdn.

It was my first attempt to renew this certificate since march 14. I tried twice, because at the first attempt I got some python errors and I first needed to make a git pull on tthe certbot and update my pip installation. The next try then gave me the rateLimited error.

The handling for PSL domains sounds reasonable to me as well and I should not have hit that limit through my 2 tries for one fqdn.

I think it’s reasonable to consider that as a one time glitch and leave it that way. Next time I hit that I will make sure I have all technical output available


#7

darn, you are right, the PSL update has not been merged yet… After all this time…

But yes, the fqdn handling for renewal still should have prevented the rateLmited error. Let’s see how next renewal runs.

Thank you all for you lightning fast replies and your helpful thoughts!


#8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.