I have a WordPress multisite installation with different subdomains for different sites. My “main” domain is julis.de and all subsites have a subdomain in form of *.multisite.julis.de
Just to be clear: I cannot use a wildcard certificate and have to issue a cert per site because as soon the site is ready to go public, we make it accessable from both a main domain like julis-bla.de and bla.multisite.julis.de
During the last week, I did not issue a lot of certificates for new sites, maybe like 2-3. There is no one else who could have done this. Still, when I wanted to issue a certificate for a new subdomain today, LetsEncrypt had an error where it told me that “too many certificates have been already issued for julis.de” and linked me to the rate limit docs.
Is there a limit on a maximum number of certificates you can issue? Because otherwise I really don’t know why we would have run into something like a weekly rate limit or smth. Is there a way to find out about this?
I'm not sure why you didn't know the answer to this question yourself, as you've stated you got a link to the rate limit documentation.
You can check the issued certificates on certificate transparency (CT) indexing sites such as crt.sh: https://crt.sh/?q=%25.julis.de (note: CT pre-certificates are also logged, so you might see "duplicates" [i.e.: the pre-certificate and the actual certificate, where the pre-certificate is identifiable by the CT "poison"]).
Why does this limit you to use a wildcard certificate? If I understand you correctly, at the moment of publication, you request two certificates: one for the example.multisite.julis.de hostname and one for the julis-example.de hostname. How does this limit you to use a wildcard certificate? Why don't you request just one new certificate on publication (for julis-example.de) and use the existing wildcard certificate for example.multisite.julis.de?
Thanks a lot for your answer. I've read the site on rate limits and could not find any thing such as total limits. I still cannot find it, but maybe I am just overlooking something, which is why I asked.
"Why does this limit you to use a wildcard certificate?" -> It doesn't limit to use a wildcard certificate. It's the other way around, I have one certificate per apache vhost and thus cannot use a single certificate for all vhosts as a vhost can also contain additional domains. Maybe I was unclear there, my bad.
And I have checked crt.sh and most of those certificates are in fact renewals of existing certs and from my understanding, those don't count towards the 20 cert limit which is why I don't understand that we may have reached a limit. I may have manually issued like 3-4 certificates.
There isn't an "absolute" number of certificates. For me it's difficult to distinguish renewals from new certificates, but you can be quite certain the Let's Encrypt software counts correctly: if it says you've hit a rate limit somewhere (it should tell you which rate limit you've hit), you probably have.
You might choose to separate that "single" vhost for the site into two separate semi-duplicate vhosts: one for the wildcard certificate and one for the other hostnames. The only differences between the two would be the SSLCertificateFile and SSLCertificateKeyFile directives for the certificate and the hostname (ServerName/ServerAlias) directives, the rest should be kept the same.
Also, if that's too much trouble, there are two options to "bypass" the rate limits:
Get the site on the Public Suffix List. This list is meant for security issues when multiple users share a common domain. It sounds the ~.multisite.julis.de is used by multiple users, so you might be a candidate for the PSL.
Thanks a lot for your advice, I will try to improve our config to make sure we won’t have those problems in the future. There error I got was:
An unexpected error occurred:
There were too many requests of a given type :: Error creating new cert :: too many certificates already issued for: julis.de: see https://letsencrypt.org/docs/rate-limits/
Unfortunately, I cannot see from this which ratelimit we have hit. But for now, I am gonna try to fix it by changing our system into having 2 seperate, “duplicate” vhosts like you suggested.
Renewals currently do count against the rate limit. However, the renewal exemption means that you can continue to issue renewals despite the rate limit.
(Let's Encrypt wants to improve this in the future.)