Certificate updates are being counted toward weekly quota

This is a general question about rate limits.
Whenever I do an automatic certificate renewal, the renewals are counted toward my weekly quota.
If I try to create a new certificate after renewing more than 2/ certificate, I cannot.
Certbot returns
There were too many requests of a given type :: Error creating new cert :: too many certificates already issued for: arnes.si: see https://letsencrypt.org/docs/rate-limits/

If I understand the rate limit rules correctly, that should not be so. I should be able to create new certificates even if I have requested 20+ renewals.

Can you please explain why that might happen and correct me if I am in error?

Kind regards,

No, renewals are not prevented due to this limit, but they still do count against it. So, you could issue 15 new certificates and then renew 15 certificates, but you couldn’t do it the other way around.

Thank you for the clarification.
I was sure it also worked the other way around.

There was a “fix” in the server side software for this issue, but this introduced another bug, so it was reverted. It is on the todo list of the Boulder developers though.

Bad news for me then…
I use certbot for certificate management.
One certificate, containing multiple domains has failed to renew, because a domain is no longer on the server that runs certbot. The rest have been renewed successfully. Unfortunately the renewals filled the limit and I cannot re-create the failed certificate. Now there is a bunch of sites with an expired certificate.

I know for the future: dry-runs and more error checking for renewals.

But until then, is there any way of re-creating that lone certificate before the famed limit window?

If you recreate the certificate with the same names, the renewal exemption should allow it to be issued.

I cannot recreate the certificate with the same set of domains because one domain is failing. I must remove the troublesome domain and recreate the certificate. This would count as a new certificate.

I have also tried to recreate the certificate the same domains and with --allow-subset-of-names, but that also seems to count as a new certificate.

Unfortunately, I don’t think the rate implementation accommodates your situation well.

@jsha, this might be another case to think about for future rate limit logic improvements.

This is a tricky situation indeed! I’m afraid there is no good immediate way out of the situation.

For long-term planning, my suggestion would be to gradually split off single-domain certificates out of your big multi-domain certificates. That would allow each to succeed or fail on its own, so one failing domain does not cause problems for other domains.

I would also recommend that you make sure you have a working email address set on your Let’s Encrypt account. You should get warning emails about certificate expiration starting 21 days before each certificate expires. I’d also recommend configuring your automation to run certbot -q renew twice daily. This will automatically attempt renewal for any given certificate when it is 30 days from expiring. Between these two measures, hopefully you will have sufficient advance warning to avoid problems in the future.

Judging by https://crt.sh/?q=%.arnes.si, it looks like your rate limit condition should expire on 2018-01-26.

To meet the deadline I resorted to multi-domain certificates to begin with. As the limit window allows I have been splitting the certificates into single-domain. I am currently processing batch 5 of 15.

@jsha thank you for the link. I am using the commandline tool lectl to check the limit state.

I have an email address set to receive Let’s Encrypt notifications and do receive them.
I had my certificate renewal cron job set to run once a week. It produces a log file for every run and sends an email if there are errors. It also has a dry-run option which would have saved me this time. For a while now I have been running the renewal script manually about once a week after creating 20 new single domain certificates.

I have also been thinking along the lines of certbot renew -q --allow-subset-of-names. But I have the feeling it would not change the result given the current state of limits and renewals.

Thank you all for your comments, I now have a better understanding of what has happened and why. It should not happen again.

1 Like

Sounds like you’re doing all the right things! Sorry you got stuck in this situation.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.