Certificates/Domain Limit Problem

tialaramex · June 22, 2016, 10:14pm

The Public Suffice List has to be explicitly imported into Let’s Encrypt, which can take some time. I see that dy.fi seems to be on the PSL now, so you may need to wait for that to happen, or @jsha may be able to say when that’s likely to happen.

If dy.fi was on the PSL used by Let’s Encrypt’s ACME servers then the rate limits would be for the “eTLD+1” which will be a label to the left of the one on the PSL, in this case kettu.dy.fi and the error message should reflect that. Presumably you control kettu.dy.fi and so you’ll be able to ensure you don’t go making hundreds of requests.

pfg · June 22, 2016, 10:15pm

@kyledrake: I've changed your user level to allow for PMs.

Let's Encrypt uses the PSL to determine which part of the domain you're requesting a certificate for is the "registered domain", which is essentially a suffix plus one DNS label (i.e. a subdomain). The rate limit is then applied per registered domain. Some examples to illustrate this:

example.com: com is the suffix, example.com is the registered domain.
sub.example.com: com is the suffix, example.com is still the registered domain, so domains issued for sub.example.com would increase the rate limit for example.com

The same logic applies to private public suffixes such as dy.fi:
piwik.kettu.dy.fi: dy.fi is the suffix, kettu.dy.fi is the registered domain
pilvi.kettu.dy.fi: Same here.

jsha · June 23, 2016, 10:02pm

(following up from email)

Just to double-check: You've read the rate limit docs?

We're completely jammed up on pending auth (see the attachment). I just tried to manually fire a request off, and it threw the same error. The pending auth limit is too low for our needs. Even with the improved code I'm working on, I'm 100% confident it will fail in the future with the current limit, causing a one-week site downtime. I can't safely move forward without addressing it, which is why I'm putting in this request.

If you wind up with a large number of pending authz's, your code is "leaking" authz's somewhere and you need to find the leak. To get out of pending authz state, you can find the old authz's that you've leaked and POST the challenge completion to them as you would normally do. This will send them into a valid or invalid state, which removes them from the pending category.

Our site is completely open source, so our implementation code is here (sans the stale domain record checking code, push to github is pending): https://github.com/neocities/neocities/blob/master/workers/lets_encrypt_worker.rb

Looks like you're using a Ruby library called Acme, but it's not immediately obvious where that comes from. Can you link the source for that, and tag in the library's author if they're on this forum? It sounds like it might be that library that is leaking the authz's.

Let me know how I can provide you with an ID. Will a public key derived from our private key suffice?

The URL returned from /acme/new-reg, of the form https://acme-v01.api.letsencrypt.org/acme/reg/123, is your ID. If this is not exposed by your client library, file an issue requesting it.

Also, to clarify: In this thread it sounds like all of your domains are of the form example.neocities.org, but reading your code it sounds like you host arbitrary domains. Should I assume it's a little of both?

Thanks,
Jacob

system · July 23, 2016, 10:02pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.