"Dry-run" option

It seems counter-productive to have this "Dry-run" option, if you can't go back and run it. It says successful, and now I know it will work, but wait 10 more hours after? Odd.

1 Like

The --dry-run is very helpful for testing. It uses the Let's Encrypt staging system which has very flexible rate limits. These certs are not valid for production sites.

The error you get is because of rate limits on the production system. The us.to domain is shared and has reached the limit of issuances. The message also states when you might next succeed.

The us.to may be a candidate for the Public Suffix List or requesting rate limit exceptions from Let's Encrypt. Learn more about Let's Encrypt Rate Limits here


The dry run is not a reset for production rate limits:
[only time will remove them]

The dry run option will only simulate a renewal and is very useful to work out any problems without consuming anything from production.



When someone is not aware of production rate limits or "testing" being a specific context, this tool-tip was misleading.

That "tip" was provided by cPanel [not Let's Encrypt].


Cool, I'll inform them.
This has to happen a lot for non-TLD's.

It makes it sound like a good idea, just in general. It got me.

1 Like

Only when large numbers of people share the same root domain. Even then the operator or owner of the shared root has several options but they need to act to avoid Let's Encrypt Rate Limits. You could just get your own custom domain :slight_smile:

Maybe also review this:


OR use any of the FREE domains that are already included in the PSL.


I don't know what you mean. What's that?

PSL = Public Suffix List
See: https://publicsuffix.org/


I found this: Add us.to suffix of FreeDNS service. by lexologe · Pull Request #326 · publicsuffix/list · GitHub
So I'm guessing it's included on the list?

No, it is not on the PSL. The GitHub Pull Request link you posted referred to the below link. You should read that to see why it was not added

Or follow the link @rg305 supplied and you will see it is not on the list

The owner of us.to could apply for Rate Limit exclusion for Let's Encrypt. Refer them to the Rate Limit page I provided earlier


I did. I followed it back. This is all interesting.
But nothing was ever really wrong, except my understanding of "Dry run". It did succeed.

My overall goal was helping anyone like myself, who comes to that option in cPanel, unsure of what it does, that tool-tip will cause you to mess up. If it's only for renewals also, that button is especially misleading for brand new accounts.


Unfortunately, there were multiple things at play here:

  • cPanel using wording that you find confusing/unhelpful/misleading
  • certificate rate limit exceeded for the TLD "us.to"

So, there was no simple/single answer [to both].
I hope that both have been addressed to your satisfaction.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.