Can you help me understand why I've been rate limited?

My domain is: mon.svc.worten.net (worten.net)

I ran this command: certbot certonly -d mon.svc.worten.net --dns-route53 --agree-tos -m <email-address>

It produced this output: There were too many requests of a given type :: Error creating new cert :: too many certificates already issued for exact set of domains: mon.svc.worten.net: see https://letsencrypt.org/docs/rate-limits/

My web server is (include version): NA

The operating system my web server runs on is (include version): NA

My hosting provider, if applicable, is: NA

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): NA

I tried to create the certificate for the domain mon.svc.worten.net more than once which might have explained the rate limit but, as far as I can see in crt.sh I didn’t reach any of them (lectl shows I should have been able to issue 17 more certificates).

Can someone help me understand what was the rate limit I reached and, more importantly, when could I issue a new certificate?

That's the Duplicate Certificate rate limit.

You've issued 5 identical certificates over the last few days.

https://crt.sh/ is running behind and only knows about 3 of them, but for example Google's CT search page shows all of them:

https://transparencyreport.google.com/https/certificates?cert_search_auth=&cert_search_cert=&cert_search=include_expired:false;include_subdomains:false;domain:mon.svc.worten.net&lu=cert_search

3 Likes

Thank you @mnordhoff! I last created a certificate request a few days ago so I assumed that wasn’t the problem but it seems you’re right.

That is not good, usually, pre certificates appear on crt.sh db in a few minutes or a couple of hours after you issued them. Final certificates appear on crt.sh from a few hours till a few days but it isn't normal that after 3 days there are no pre certificates logged for last 2 issued certs covering mon.svc.worten.net. Maybe crt.sh is experiencing some technical issues :smirk:

Cheers,
sahsanu

I don't know how crt.sh's architecture works, but it feels overloaded. Some searches I did were timing out. (Seems to have gotten better since.)

The monitoring page usually shows a little bit of "backlog" on the busiest logs, but now it's millions of certs:

If you search Let's Encrypt, the latest precertificates are from the 22nd:

(There are a few newer leaf certificates that people must have manually submitted to less popular -- and therefore more quickly processed -- logs.)

But it's processed like half an hour worth of Mammoth precertificates while I've been writing this post, so maybe it's getting better.

1 Like

I’m not convinced the crt.sh backlog is actually going down over time. I’ve noticed that it really got slower this year. Hopefully the ingestion can be made faster and it’s not a problem with database load.

There are alternatives at Google, Censys and SSLMate, but none are both free and API-able like crt.sh :frowning: . I’d love to maintain a database myself but the storage requirements for even 90 days of certificates are too expensive to fund personally.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.