Duplicate Renewal Quota Clarification

When renewing a cert more than once in 7 days, is the "limit of 5 per week" a count for that set of domains (meaning I get 5 dupe renewals per domain set) or a count for your overall count?

The text below is from the documentation & it doesn't specifically state what the 5 per week limit is based on. I suppose there could be a third option that hasn't come up while debating this internally.

Apologies if this answer is in another thread & I wasn't able to find that posting.

Renewals are treated specially: they don’t count against your Certificates per Registered Domain limit, but they are subject to a Duplicate Certificate limit of 5 per week. Note: renewals used to count against your Certificate per Registered Domain limit until March 2019, but they don’t anymore. Exceeding the Duplicate Certificate limit is reported with the error message too many certificates already issued for exact set of domains .

A certificate is considered a renewal (or a duplicate) of an earlier certificate if it contains the exact same set of hostnames, ignoring capitalization and ordering of hostnames. For instance, if you requested a certificate for the names [ www.example.com , example.com ], you could request four more certificates for [ www.example.com , example.com ] during the week. If you changed the set of hostnames by adding [ blog.example.com ], you would be able to request additional certificates.

The doc page you reference further says:

Renewal handling ignores the public key and extensions requested. A certificate issuance can be considered a renewal even if you are using a new key.

These explain what is a duplicate renewal. Do you have an example of what is or is not working as expected?

Welcome to the Let's Encrypt Community, David

The duplicate certificate rate limit is counted per set of domain names, so you could have three duplicate certificates (an original and two renewals) for set A and four duplicate certificates (an original and three renewals) for set B and still not have hit the limit for either set. Even if you hit the limit for set A, that won't prevent issuance for set B.

Hope this clarifies things.

That's fantastic news, thanks @griffin!

You are quite welcome, my friend.

Why would you even do that? Unless you have a very good reason, that's just an utter waste of precious resources.

Normally we wouldn't. Normally we renew with 30 days left before expiration.

But even if you renew a cert before that once, you wouldn't hit the 5 duplicate rate limit. Why would you hit that now? Isn't renewing once enough?

Also, why are you renewing early anyway? Certificate chains changes in principle don't require a (forced) renewal.

@Osiris we've been using Letsencrypt for around 3 years now, it has GREATLY improved our certificate management. I think everyone participating in providing this solution is doing a wonderful job. Because we did have a couple of problems with the recent expiration (unrelated to my question here) I was rereading the documentation & this part of it stood out as a little ambiguous to me so I reached out. I really appreciate the support this community offers, thanks again, I hope you have a nice day!

I think @david.ryhn might have been concerned about the collective renewal of several different certificates in a short period of time collectively tripping the rate limit. Hence why my clarification was a relief.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.