Cert is renewed daily

Hello,

I try too receive a certificate with SAN that includes 3 names for the shared domain homenet.org but I always get
"too many certificates already issued for: homenet.org"

After some research using crt.sh, nearly every day a new cert is issued for minellis.homenet.org How is this possible and does this affect the weekly rate limit for new certs? How can LE prevent this obvious misbehaviour?

Best regards,
Björn

Hi @bjmi,

Is homenet.org your own domain, or a free dynamic DNS provider or something?

It is a free dynamic DNS provider domain located at freedns so there is very little I can do.

Oh, OK.

Let’s Encrypt’s rate limits aren’t really meant to police the practices of dynamic DNS subscribers. Some dynamic DNS providers have requested rate limit exemptions, which reduce the degree to which one subscriber’s issuance will prevent another subscriber’s issuance.

The Let’s Encrypt CA currently has no way of knowing that one subscriber of homenet.org is a different person from another subscriber, and hence should not be penalized for the other subscriber’s actions. The algorithms that the CA uses imply that the allocation of the allowed quantity of certificates is an internal matter for the domain operator (which maybe have intended to allow one subdomain to have lots of certificates and another to have few or none).

I would suggest that you either get homenet.org to request a rate limit exemption from Let’s Encrypt, or else switch to a different dynamic DNS provider. You could also try to get them to adopt a policy about subscribers’ ability to request Let’s Encrypt certificates (which would be enforced by cutting off a non-compliant subscriber’s account), but this would probably be too much work for the homenet.org operators.

Correspondingly, investigating whether particular subdomains do or don’t belong to different physical people, outside of the already rather overloaded formal rate limit exemption process, would be too much work for the Let’s Encrypt CA operators.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.