any chance to find out why I’m getting Error 429 - too many certificates already issued for: ortsinfo.at?
Last Cert for this Domain was issued on 31.07.2017 (https://crt.sh/?q=ortsinfo.at)
Guess it’s because of some Subdomains - but not sure?
And I would need the Cert for this Domain rather fast … as current one is expired …
aahhh - didn't know I can do Wildcard Queries with % ... thx for that @rg305!
But I still don't find the reason why I get 429 Error - all those *.kunden.ortsinfo.at CERTs should NOT account against the Limit - as this Domain is listen on the PSL: https://publicsuffix.org/list/public_suffix_list.dat
PSL List Entry:
// Futureweb OG : http://www.futureweb.at
// Submitted by Andreas Schnederle-Wagner schnederle@futureweb.at
*.futurecms.at
futurehosting.at
futuremailing.at
*.ex.ortsinfo.at
*.kunden.ortsinfo.at
*.statics.cloud
Maybe @cpu can have a look at why this is happening.
Going over the list, it does seem that all the names are included in the PSL.
If you can, please give an example of a domain that produced the error 429 message.
I see.
Yes, it seems the math is a bit off, which should be something like:
count all ( ortsinfo.at OR *.ortsinfo.at )
minus PSL listed ( *.ex.ortsinfo.at OR *.kunden.ortsinfo.at )
But seems to be including just:
count all ( ortsinfo.at OR *.ortsinfo.at )
which exceeds your allowed.
Even if you had genuinely exceeded the rate limit, you should still be able to get a renewal of an existing certificate. Have you tried requesting a certificate with the exact same set of domains as one of the recently expired ones for ortsinfo.at? For example as on https://crt.sh/?id=181889276 - ortsinfo.at, ortsinfo.at.kunden.ortsinfo.at, www.ortsinfo.at, www.ortsinfo.at.kunden.ortsinfo.at - that way you might at least get a cert to get you back up and running on HTTPS for now.
I’m guessing that public suffix subdomains are still being counted towards the registered domain’s rate limits. That is, all the certificates issued for kunden.ortsinfo.at are exempted from rate limits, but these certificates are still counted towards the rate limits for ortsinfo.at, which is not exempted.
There was a similar issue with the rate limits for the exact match of the public suffix domain:
@cpu or @jsha can confirm if this is what is really happening and if they intend to fix it or if you should request a rate limit exemption for ortsinfo.at to work around it.
If you're trying to issue for new domains under ortsinfo.at (but not under .kunden.ortsinfo.at) and finding that you can't, you may want to fill out the rate limit request form at the bottom of Rate Limits - Let's Encrypt.
BTW a small note since it's nonintuitive: wildcards have a special meaning in the public suffix list. *.kunden.ortsinfo.at in the list means that a.kunden.ortstinfo.at is a public suffix, and so is b.kunden.ortstinfo.at, and so on.
@rg305 - thx for your effort in helping me on that! @jmorahan - thx for the Tipp with renewing the exact same/existing Cert - did the Trick to get the Cert up & running again! @Patches - that’s the problem!
@jsha - thx for confirming - as we need to issue some NEW Certs under ortsinfo.at I filled the “rate limit request form” as advised - hope it gets processed quick
Thank you all for the help, bye from sunny Tirol, Austria
Andreas
@jsha - any chance to speed up the “rate limit request” a little bit? Because of the “PSL Subdomains count against non PSL Parent Domain” I can’t issue some new Certs we really would need …