Error 429 - too many certificates already issued for: ortsinfo.at

Hey there,

any chance to find out why I’m getting Error 429 - too many certificates already issued for: ortsinfo.at?
Last Cert for this Domain was issued on 31.07.2017 (https://crt.sh/?q=ortsinfo.at)

Guess it’s because of some Subdomains - but not sure?
And I would need the Cert for this Domain rather fast … as current one is expired … :wink:

thx
Andreas Schnederle-Wagner

Have a look at: https://crt.sh/?Identity=%.ortsinfo.at&exclude=expired
webpage attached with txt extensioncrt.sh.all.ortsinfo.at.htm.txt (1.6 MB)

aahhh - didn't know I can do Wildcard Queries with % ... thx for that @rg305! :wink:

But I still don't find the reason why I get 429 Error - all those *.kunden.ortsinfo.at CERTs should NOT account against the Limit - as this Domain is listen on the PSL: https://publicsuffix.org/list/public_suffix_list.dat

PSL List Entry:

// Futureweb OG : http://www.futureweb.at
// Submitted by Andreas Schnederle-Wagner schnederle@futureweb.at
*.futurecms.at
futurehosting.at
futuremailing.at
*.ex.ortsinfo.at
*.kunden.ortsinfo.at
*.statics.cloud

Maybe @cpu can have a look at why this is happening.
Going over the list, it does seem that all the names are included in the PSL.
If you can, please give an example of a domain that produced the error 429 message.

ortsinfo.at itself throws the Error - our Main Domain … :-/

{“type”:“urn:acme:error:rateLimited”,“detail”:“Error creating new cert :: too many certificates already issued for: ortsinfo.at”,“status”:429}

I see.
Yes, it seems the math is a bit off, which should be something like:
count all ( ortsinfo.at OR *.ortsinfo.at )
minus PSL listed ( *.ex.ortsinfo.at OR *.kunden.ortsinfo.at )

But seems to be including just:
count all ( ortsinfo.at OR *.ortsinfo.at )
which exceeds your allowed.

1 Like

@futureweb, your issue may be related to this thread: [Solved] Rate limit increase didn't seem to take
Please try it again and let us know if it is still ongoing.

Even if you had genuinely exceeded the rate limit, you should still be able to get a renewal of an existing certificate. Have you tried requesting a certificate with the exact same set of domains as one of the recently expired ones for ortsinfo.at? For example as on https://crt.sh/?id=181889276 - ortsinfo.at, ortsinfo.at.kunden.ortsinfo.at, www.ortsinfo.at, www.ortsinfo.at.kunden.ortsinfo.at - that way you might at least get a cert to get you back up and running on HTTPS for now.

2 Likes

I’m guessing that public suffix subdomains are still being counted towards the registered domain’s rate limits. That is, all the certificates issued for kunden.ortsinfo.at are exempted from rate limits, but these certificates are still counted towards the rate limits for ortsinfo.at, which is not exempted.

There was a similar issue with the rate limits for the exact match of the public suffix domain:

@cpu or @jsha can confirm if this is what is really happening and if they intend to fix it or if you should request a rate limit exemption for ortsinfo.at to work around it.

1 Like

Yep, that is correct. As someone pointed out above, you should be able to renew any existing certificates you have. You may also be interested to read about Improve renewal rate limiting · Issue #2800 · letsencrypt/boulder · GitHub, which should decrease the pain in this situation a bit.

If you're trying to issue for new domains under ortsinfo.at (but not under .kunden.ortsinfo.at) and finding that you can't, you may want to fill out the rate limit request form at the bottom of Rate Limits - Let's Encrypt.

BTW a small note since it's nonintuitive: wildcards have a special meaning in the public suffix list. *.kunden.ortsinfo.at in the list means that a.kunden.ortstinfo.at is a public suffix, and so is b.kunden.ortstinfo.at, and so on.

2 Likes

@rg305 - thx for your effort in helping me on that! :wink:
@jmorahan - thx for the Tipp with renewing the exact same/existing Cert - did the Trick to get the Cert up & running again! :smile:
@Patches - that’s the problem! :frowning:

@jsha - thx for confirming - as we need to issue some NEW Certs under ortsinfo.at I filled the “rate limit request form” as advised - hope it gets processed quick :slight_smile:

Thank you all for the help, bye from sunny Tirol, Austria
Andreas

2 Likes

@jsha - any chance to speed up the “rate limit request” a little bit? Because of the “PSL Subdomains count against non PSL Parent Domain” I can’t issue some new Certs we really would need … :frowning:

thx

I’ve bumped your request.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.