My domain is: nexit.sk
I ran this command: sudo docker run -it --rm -p 443:443 -p 80:80 --name certbot
quay.io/letsencrypt/letsencrypt:latest certonly --standalone --preferred-challenges tls-sni-01
It produced this output: There were too many requests of a given type :: Error creating new cert :: too many certificates already issued for exact set of domains: nexit.sk
Some strange issue happened with certbot and it generated certificate but it always shown same expiry date, so I tried it few times without luck. Now I removed all “bad” certificates and wanted to have clean start. But looks like I already got “too many certificates” error.
Would it be possible if someone unlock my domain please, so that I would be able to generate certificate ?
ps. best would be to have some system/process when user would be able to manually unlock this limit - eg. some process on website with reason etc. I suppose this might happen to everybody, and now possibly I would not be able to use my site for whole week - if that’s rate limit to unlock it again.
Thanks for help.
No. As it is stated at Rate Limits - Let's Encrypt, "If you’ve hit a rate limit, we don’t have a way to temporarily reset it. You’ll need to wait until the rate limit expires after a week.".
However, if you insert an additional domain name in your certificate, such request would be considered a new set of domains and won't be subject to 5 duplicate certificates per week limit.
Rate limits are there to prevent (intentional or unintentional) abuse of service. Every certificate issued consumes hardware security modules signing capacity (for example, HSMs have to sign OCSP responses for all valid Let's Encrypt certificates every few days - signing each response takes some time). If you are not sure whether or not your configuration is correct, you should use staging environment instead of production one. Trying the same command over and over again is almost never a proper solution.
I totally agree, but just wanted to say that this is something what might happen even to people who do not want to abuse the service in any way.
Just thinking loud…
Wouldn’t be better to use more user friendly approach like - when user generate 2 certificates within 1 hour, then disable next certificate generation with reason that you have reached hourly limit (with warning to get weekly ban if you continue this behavior). After an hour you would be able to generate certificate again, but after you generate next 2 certificates in hour you will get this message again. But when you generate 5th certificate again, you will be banned permanently = weekly ban.
This approach might be more friendly to developers configuring their machines, and to someone who might unintentionally lock domain for whole week - instead lock will be just for 1 hour (with warning that you will be locked for week if you generate more certs).
What do you think about that?
PS. I really like Let’s encrypt, even already donated to this project but I think that weekly ban is quite scary, for some business this might really big issue to deal with. So I think, letsencrypt should try to prevent lock when it’s possible - eg. with faster, but more short term locking mechanism.
That would be a big addition to the ACME spec - there’s no “rate limit warning” built in. It also gets away form the goal of automation in exchange for user-initiated tasks. I think this had been considered, but the decision was made that the trade-off for improving the goals of the ACME protocol outweighed the negative aspects of allowing users to shoot themselves in the foot, so to speak.
On top of that, it’s not really a week-long ban either. It’s still possible to issue certificates, just change the list of domains they’re being issued for (up to the 20/domain/week limit). You could, right now, add a new subdomain, say the www-prefixed version, to the certificate and issue again immediately.
I definitely get where you’re coming from, but I would personally argue that it’s a minor pain point. It seems to me that, if you were to issue five certificates successfully in a seven day period, having access to exactly zero of them is not that common of an occurrence.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.