Help with too many certificates problem with dynu.com

Hi,
I’ve been trying to get a certificate for my domains (they ends in .dynu.com) and when I am not using the stagging server I get the error that says:
An unexpected error occurred:
There were too many requests of a given type :: Error creating new cert :: too many certificates
already issued for: dynu.com
Now, I know there are the certificate limits and I decided to wait for another day to try to get the certificates and the result is the same.
At the time I write this messages, crt.sh shows only 2 new certificates were issued for domains ending in ‘.dynu.com’:

crt.sh ID	 Logged At  ⇧	Not Before	Identity	Issuer Name
241396988	2017-10-26	2017-10-26	calguy1000.dynu.com	C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
240873961	2017-10-26	2017-10-26	gmcdaniel.dynu.com	C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
240384511	2017-10-25	2017-10-25	calguy1000.dynu.com	C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
240401930	2017-10-25	2017-10-25	rumdirekt.dynu.com	C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
239865528	2017-10-25	2017-10-25	pedronma.dynu.com	C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
239865528	2017-10-25	2017-10-25	smtp.pedronma.dynu.com	C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
239705151	2017-10-25	2017-10-24	moridin.dynu.com	C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3

I thought the limit was 5 per domain per day. I even tried right after midnight last might (actually at midnight in each time zone in the US) and it did not work, but I see others certificates with the same domain issued today…

All my subdomains end in freebird.dynu.com, and if I search for the certificate (at the time of this writing), crt.sh shows:

Criteria	Identity LIKE '%freebird.dynu.com'

Certificates	None found

Can anyone tell me why I am having trouble with this?

Thanks!

Unless dynu.com is on the Public Suffix List (it’s not, but dynu.net is), the query you need to be running to see certificates hitting this limit is: https://crt.sh/?q=%.dynu.com.

There are two similar limits; one is certificates to identical sets of names, and the other is certificates for the same base domain name. You’re hitting the latter, which is certificates issued for dynu.co and is 20 per 7 days. Bear in mind that renewals count against this limit, but are not restricted by it, so anyone who already has a certificate can renew it without issue, even past these rate limits, but that can prevent you from issuing a new certificate.

Also moved this to help, a more relevant category.

1 Like

This seems to be the “answer” to this problem, if it applies.
Who can make such a review request?

The owner of Dynu.com would need to do so. It seems strange to me that they’ve put other domains on, but not their main one.

Well they do own a ton of domains, maybe he could just move to another more publicly listed one.

Thanks for the answers… Now I see why I was having such a hard time with it. I will contact dynu.com and suggest they request to be added to the list.

Maybe it would cause issues for their control panel or something?

If so, they could instead request Let’s Encrypt’s adjust the rate limits for the domain.

For anyone else having this issue, I will post the answer I got today from dynu.com:

Dear Marcelo,

Thank you for choosing Dynu!

Thank you for pointing this out. dynu.com is excluded for security reasons.

We are continually working on making our services better and your feedback is very important to us. If you have any questions, comments or suggestions, please contact us at:

Support: https://www.dynu.com/Support
Facebook: https://www.facebook.com/DynuSystems 
Twitter: https://www.twitter.com/DynuSystems
Google: https://plus.google.com/+DynuSystems

Best Regards,

Customer Service
Dynu Systems, Inc.
Website: http://www.dynu.com
Email: service@dynu.com

If dynu.com is a public dynamic DNS service, it would probably be better for security to list it in the PSL, rather than worse! However, I’m not sure how to persuade the operators of that.

Agreed! I don’t know why they decided it was a security concern. If that was the case they should have prevented users to use their main domain and force them to use the alternative ones…
Anyway, I’ve been using dynu.com for quite a while now. I guess I will have to wait until the beginning of the week for the week limit to expire and try again to get my certificates. My only question is, when does the new week start exactly? Sunday or Monday? I guess it will be Pacific Standard Time…

It’s actually a rolling 7-day (168-hour) limit. A nice tool to calculate the current rate limit more precisely based on public data is

Then you can make your request right at the beginning of the new rate limit window. (Of course, I wish there were some way to persuade the domain operator to list on the PSL instead.)

DYNU is currently offering free dynamic DNS services under 17 different domains:
domains
If you are not married to your DYNU.COM FQDN, then you could just switch to any of those domains (that are already on the PSL).

Or keep the http://yourname.DYNU.com vhost (without SSL) and simple forward that to a new https://yourname.<pick one of the 17 domains> site with SSL.

Thanks for all the help! I would have been driving myself crazy without all the information you all gave me!
I finally used lectl to discover I had to wait until a while ago to overcome the week limit, so I did. I requested the certificate and I finally could obtain it, so all is good!
Thanks everyone again!

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.