How to check state of rate limits


Is there some API or some way to check the state of my rate limits?

In other words: I would like to force renew a certificate, but before doing so, would like to check if it might be denied due to one of the limits.


There isn’t an API as far as I’m aware.

you could try lectl which is a bash script that looks at the public records for a given domain.

On the other hand, if you force the renew, it will either work (in which case you will no you were within the rate limits ) or it will fail, and tell you it was because of the rate limits, in which case you will know :wink:


The fact you “need” to check if you’re hitting the rate limits or not is, to me at least, a sign your process isn’t very well thought through.

If you want to test something, you should use the staging server by using the --staging switch.


Yes. Obviously. (I did use the test server too)


lectl seems perfect, if what it reports is accurate.

It says “You have issued 8 certificates in last 7 days so you could issue 12 more certificates now.”.

So apparently, the limit is 20? I thought it was 5.



It depends which rate limit :wink:

There is a rate limit of 5 per week for “identical” certificates (i.e. exactly the same domain names)

The limit of 20 per week is for a domain (so one cert may have and, a second cert be etc )


That is what I’m not sure I understand.

Would these 2 be counted as identical, and limited to 5 per week? They list the same domains/hosts, but with a different CN/SAN layout.

CN=first.tld SANs=other.tld, mail.first.tld, ftp.other.tld
CN=other.tld SANs=first.tld, mail.first.tld, ftp.other.tld

But what about this third one, which adds one more host?

CN=first.tld SANs=other.tld, mail.first.tld, ftp.other.tld, imap.first.tld

Would that change make it a brand new certificate, making it the 1st, allowing for 4 renewals in the week?

Or did I misunderstand, and it would be the 3rd one because it includes all of the 2 previous ones, or the 2nd because it’s the CN that counts?


In the first case, identical domains ( but with a different order ) … are a duplicate in terms of domains included - so would be subject to the 5 per week limit.

The second case ( adding an additional domain) is not a duplicate, therefore not subject to the 5/week limit. Each domain though ( first.tld, other.tld and firts.tld ) would have +1 added to the their count towards the 20 / week limit.

The description of rate limits is at


OK. I had read the rate-limits page, but still didn’t quite understand it. It’s much clearer now.
Thanks a lot!


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.