Different limit for Renewal and Create certificate


#1

Hi, I have “certbot-auto renew” executed everyday. Considering the recommended frequency is twice a day (from EFF, see screenshot below), I thought this is okay.

Imagine my surprise when I found out that the renewal uses up my weekly quota (20 certiticates/week),
and caused me unable to create a several of much needed certitificates.

And a renewal seems to also uses up the Duplicate limit (5/week)

When you have hundreds of subdomains, each with its own certificate - it’s really easy for you to hit these limits :slight_smile: actually, you will hit these limits pretty much all the time :smiley: LOL


Looking at these, I hope Lets Encrypt will consider these :

  1. Renewal no longer uses normal quota
  2. Significantly raise renewal quota limit

Thank you.


#2

For now, I have done the following :

  1. Disabled auto renewal script : this will cause problems though, users have screamed on me when they noticed that the browser bar is red (sigh) due to expiring domains
  2. Applied for Rate Limit Adjustment Request : this is not ideal, I know this will put extra burden on Lets Encrypt. But I need to be able to have even thousands of subdomains in the future.

#3

Running certbot renew doesn’t touch the rate limits, as it doesn’t touch the LE servers–it checks your certs, and only touches the LE servers if one or more of them is within 30 days of expiring. That’s why it’s recommended to run certbot renew quite frequently. But actual renewals do have rate limits, though they are treated differently than original issuance. See https://letsencrypt.org/docs/rate-limits/ for the most current information.


#4

The way that Let’s Encrypt handles this is somewhat confusing and has been debated a bit in other threads about rate limits.

In the current implementation, you should get new certificates before renewals; getting the new certificates doesn’t prevent the renewals, but the renewals can prevent the new certificates.

It’s true that this implementation can be confusing and hopefully there will be a different approach at some point. It’s also true that this doesn’t work well with our normal advice to run certbot renew automatically and frequently. Basically, most people don’t have nearly enough certificates that they need to actively control the timing of their automated renewals. Therefore, it’s fine for them to renew at essentially random times. But that’s not necessarily the case for someone who is effectively bound by the rate limit, which is apparently your situation.

Sorry that you ran into this case.


#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.