Hitting Rate Limit for main domain, but not subdomain


#1

Hello, i am hitting rate limit for one of my domain(kirim.email), but not the subdomain(*.kirim.email). Checking the crt.sh, the subdomain *.kirim.email it seem was not considered as part of kirim.email, last week, i generate around 14 subdomain certificate *.kirim.email, which is not tracked by part of the same identity (kirim.email). Anybody, know is there any policy regarding .email TLD? Also, why i can’t issue the certificate for main domain, is it because i still have one from COMODO?


#2

Which rate limit are you hitting? What command did you run? What did it output?

Unless maybe the domain owner has previously requested a rate limit exemption from Let’s Encrypt, they’re definitely considered the same domain.

No, certificates from different CAs don’t directly interfere with each other.

Even if validation is failing due to a web server configuration issue, it’s not really because the existing certificate is from one CA or another.

Edit:

20 certificates for that domain have been issued in the last week.

https://crt.sh/?Identity=%kirim.email&iCAID=16418

While you can renew existing certificates, getting new certificates with different groups of names will be a problem.


#3

According to your provided link(thanks, i just realize i could check it like that), last week(period 5-11 feb 2018) i issued 13 subdomain (excluding renewal, duplicate). Current week period, 12-18, there is only one new(mapp.kirim.email, including duplicate source.kirim.email there is two), yet i hit issue for the main domain.

This is log when using traefik acme client.

time="2018-02-13T10:50:07Z" level=error msg="Error getting ACME certificates [kirim.email] : cannot obtain certificates map[kirim.email:acme: Error 429 - urn:acme:error:rateLimited - Error creating new cert :: too many certificates already issued for: kirim.email: see https://letsencrypt.org/docs/rate-limits/]" 

Using certbot certonly --manual

An unexpected error occurred:
There were too many requests of a given type :: Error creating new cert :: too many certificates already issued for: kirim.email: see https://letsencrypt.org/docs/rate-limits/

#4

To make sure you can always renew your certificates when you need to, we have a Renewal Exemption to the Certificates per Registered Domain limit. Even if you’ve hit the limit for the week, you can still issue new certificates that count as renewals. An issuance request counts as a renewal if it contains the exact same set of hostnames as a previously issued certificate. This is the same definition used for the Duplicate Certificate limit described above. Renewals are still subject to the Duplicate Certificate limit. Also note: the order of renewals and new issuances matters. To get the maximum possible number of certificates, you must perform all new issuances before renewals during a given time window.

All certificates count against the rate limit. Issuing 20 certificates won’t stop you from issuing more renewals, but it will stop you from issuing new certificates.


#5

I know, but how does letsencrypt considering a week?
Assuming period(start at monday) of 5-11 feb 2018, then 12-18 feb 2018 is new period, then according the record in

https://crt.sh/?Identity=%25kirim.email&iCAID=16418

Then i should be fine today(13 feb 2018), when issuing new certificates. Even if i assume the period is start at sunday (4-10 feb 2018, then 11-17 feb 2018), it should still be fine because it’s already a new period and i haven’t issue more than 20.


#6

It’s always a rolling period of time.

“Right now” to “604,800 seconds ago”, if you want to put it that way.

(Edit: No one wants to put it that way. I’m weird.)


#7

okay, let’s try it next week again and i see if it still hit rate limit or not.

i hope not.


#8

About half of the certificates were issued February 7, so you’ll be able to create that many certificates on the 14th.


#9

i often tell people “168 hours ago”.