I'd just like to ask a couple of questions w.r.t. LE and possible Blacklisting pls?
As far as I understand, LE only permits 5 request attempts per Hr.
My question(s) is/are;
Given number of attempts to obtain/create a cert, is there a point at which LE basically blacklists either the domain / sub-domain / email addr. attempting it? I mean if in trying to set up, you keep getting an error msg, at what point, if any, does LE block?
If so, for how long pls?
Multiple domain cert. requests can be made from/for the same IP, provided you use different emails, right? Not sure (https://letsencrypt.org/docs/rate-limits/) is entirely clear on it?
We do sometimes block access when we've seen an extremely high (abusive) rate of retries - but this is very, very rare. It takes many retries per second to get our attention.
These blocks always have a specific error message that includes an e-mail address to contact us. These blocks are long-term (usually at least a year) but we're happy to remove them once we're contacted.
All of the automated rate limits will expire as documented, and we don't change those outside of the rate limit adjustment process.
Almost all our manual blocks are by IP, not by domain, and we haven't added any recently - so if you're having trouble, it is probably one of the automated rate limits.
Almost all IP blocks are automated rate limits. Manual ones don't stay in place for a set period; we will sometimes clean them up but we have no set procedure for that, so it's not guaranteed. That's one reason why there's an e-mail address included in those error messages.
It's very unlikely that a Synology device is encountering one of our manual blocks. All but a very few of them are related to specific (non-Synology) client misbehavior.
The Synology documentation is indeed 'shite'. I've managed to get the cmdline cmd out of them, but even the cmd itself isn't helpful.
I know that using their cmd will be subject to whatever the internal coding of their func., but can I ask; what format does the LE API call to instantiate a new cert expect for the SAN's?
This might help me work out how Synology implement it in their syno-letsencrypt func. I tried adding each SAN under its own '-d' switch, but the cmd then only focussed on the last sub-dom written on the cmdline.
Is there likely to be any issue with an old account? I've been trying to get this bloody thing working over a period of a few months.
And yet, the same device does already retrieve and renew an LE cert for 'ouboco.barracu.com'.
Just stuffed if I can figure out why I can't get it to work for my main domain (not barracu.com).
As far as I know, the e-mail you've used to register an account doesn't matter. It's the account itself. Thus you should be able to generate multiple accounts with the same e-mail address and those accounts on their own would have account-related rate limits applied to them, if applicable.
Probably not, the longest rate limit is for a week and is not account related, but domain related.
We'd need more info about that, but as this is a "general blacklisting questions" thread, perhaps you should open a new thread and fill in the questionnaire from the Help section as best as possible.