Help understanding rate limits - currently blocked


#1

We had a server that was having trouble associating the correct SSL to apache. We thought it was a let’s encrypt issue. We switched the site to a different server to quickly get it working but then we found we had been limited. What do I need to do to? the domain name is missionarygiftbox.com
Thanks!


#2

Hi @topedge,

I’m going to move your question to the help section.

Can you share the error you’re receiving? There isn’t enough information available right now to help you.

Could you fill out these questions?

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

Thanks!


#3

Hi @topedge

there are 6 certificates created 2018-07-23:

https://transparencyreport.google.com/https/certificates?cert_search_auth=&cert_search_cert=&cert_search=include_expired:false;include_subdomains:false;domain:missionarygiftbox.com&lu=cert_search

There is a limit of 5 identical certificates in 7 days. Normally, you should only create one certificate, then use this, 60 - 80 days later create the next certificate.


#4

Yes, like I said. There was an issue with the server and it wouldn’t associate the cert to the site correctly. So we issued it multiple times. Eventually we moved the site to a different server and then ran into the rate limit.
To answer these:
I ran this command: Let’s encrypt from VirtualMin GUI

It produced this output: Error signing certificate: 429 Error creating new cert :: too many certificates already issued for exact set of domains: missionarygiftbox.com,www.missionarygiftbox.com: see https://letsencrypt.org/docs/rate-limits/

My web server is (include version): Webmin 1.890

The operating system my web server runs on is (include version):CentOS Linux 7.4.1708

My hosting provider, if applicable, is: My own

I can login to a root shell on my machine (yes or no, or I don’t know): Yes


#5

Usually it’s best to keep that perfectly usable certificate to fix the issue, or use staging until you work out the kinks.

You’ll need to either wait out the rate limit (seven days after the first issuance) or add another name to the certificate so it’s no longer identical, such as test.missionarygiftbox.com. Note that there is also the overarching limit of 20 certificates per registered domain per week (the registered domain being missionarygiftbox.com in this case), so you should be careful not to hit this, as that’s a hard limit.


#6

Hi @cpu are you able to reset the limit?
Thanks,

Stan


#7

Please see the rate limit documentation - specifically the following. Note that the counts displayed are referencing the “certificates per registered domain” limit of 20/week. The only ways for you to issue a certificate are to wait out the rate limit, or add another name to the certificate, since you’ve hit the “duplicate certificate” limit.

If you’ve hit a rate limit, we don’t have a way to temporarily reset it. You’ll need to wait until the rate limit expires after a week. We use a sliding window, so if you issued 10 certificates on Monday and 10 more certificates on Friday, you’ll be able to issue again starting Monday. You can get a list of certificates issued for your registered domain by searching on crt.sh, which uses the public Certificate Transparency logs.

Revoking certificates does not reset rate limits, because the resources involved in issuing the certificates have already been used.


#8

Hi @topedge,

As others have pointed out there isn’t a way to temporarily reset this limit.


#9

Yes. But isn’t the private key / the complete certificate saved somewhere? You used a letsencrypt-client, so first there is a certificate order, then a challenge, then the certificate download (+ Certificate Transparency entry), then the installation.

If the installation crashes, the certificate should be saved before.


#10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.