Can you help me understand why I've been rate limited?


#1
My domain is: mon.svc.worten.net (worten.net)

I ran this command: certbot certonly -d mon.svc.worten.net --dns-route53 --agree-tos -m <email-address>

It produced this output: There were too many requests of a given type :: Error creating new cert :: too many certificates already issued for exact set of domains: mon.svc.worten.net: see https://letsencrypt.org/docs/rate-limits/

My web server is (include version): NA

The operating system my web server runs on is (include version): NA

My hosting provider, if applicable, is: NA

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): NA

I tried to create the certificate for the domain mon.svc.worten.net more than once which might have explained the rate limit but, as far as I can see in crt.sh I didn’t reach any of them (lectl shows I should have been able to issue 17 more certificates).

Can someone help me understand what was the rate limit I reached and, more importantly, when could I issue a new certificate?


#2

That’s the Duplicate Certificate rate limit.

You’ve issued 5 identical certificates over the last few days.

https://crt.sh/ is running behind and only knows about 3 of them, but for example Google’s CT search page shows all of them:

https://transparencyreport.google.com/https/certificates?cert_search_auth=&cert_search_cert=&cert_search=include_expired:false;include_subdomains:false;domain:mon.svc.worten.net&lu=cert_search


#3

Thank you @mnordhoff! I last created a certificate request a few days ago so I assumed that wasn’t the problem but it seems you’re right.


#4

That is not good, usually, pre certificates appear on crt.sh db in a few minutes or a couple of hours after you issued them. Final certificates appear on crt.sh from a few hours till a few days but it isn’t normal that after 3 days there are no pre certificates logged for last 2 issued certs covering mon.svc.worten.net. Maybe crt.sh is experiencing some technical issues :smirk:

Cheers,
sahsanu


#5

I don’t know how crt.sh’s architecture works, but it feels overloaded. Some searches I did were timing out. (Seems to have gotten better since.)

The monitoring page usually shows a little bit of “backlog” on the busiest logs, but now it’s millions of certs:

https://crt.sh/monitored-logs

If you search Let’s Encrypt, the latest precertificates are from the 22nd:

https://crt.sh/?Identity=%&iCAID=16418

(There are a few newer leaf certificates that people must have manually submitted to less popular – and therefore more quickly processed – logs.)

But it’s processed like half an hour worth of Mammoth precertificates while I’ve been writing this post, so maybe it’s getting better.


#6

I’m not convinced the crt.sh backlog is actually going down over time. I’ve noticed that it really got slower this year. Hopefully the ingestion can be made faster and it’s not a problem with database load.

There are alternatives at Google, Censys and SSLMate, but none are both free and API-able like crt.sh :frowning: . I’d love to maintain a database myself but the storage requirements for even 90 days of certificates are too expensive to fund personally.


#7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.