How to check state of rate limits


#1

Is there some API or some way to check the state of my rate limits?

In other words: I would like to force renew a certificate, but before doing so, would like to check if it might be denied due to one of the limits.


#2

There isn’t an API as far as I’m aware.

you could try lectl which is a bash script that looks at the public records for a given domain.

On the other hand, if you force the renew, it will either work (in which case you will no you were within the rate limits ) or it will fail, and tell you it was because of the rate limits, in which case you will know :wink:


#3

The fact you “need” to check if you’re hitting the rate limits or not is, to me at least, a sign your process isn’t very well thought through.

If you want to test something, you should use the staging server by using the --staging switch.


#4

Yes. Obviously. (I did use the test server too)


#5

lectl seems perfect, if what it reports is accurate.

It says “You have issued 8 certificates in last 7 days so you could issue 12 more certificates now.”.

So apparently, the limit is 20? I thought it was 5.

Thanks


#6

It depends which rate limit :wink:

There is a rate limit of 5 per week for “identical” certificates (i.e. exactly the same domain names)

The limit of 20 per week is for a domain (so one cert may have domain.com and sub1.domain.com, a second cert be sub2.domain.com etc )


#7

That is what I’m not sure I understand.

Would these 2 be counted as identical, and limited to 5 per week? They list the same domains/hosts, but with a different CN/SAN layout.

CN=first.tld SANs=other.tld, mail.first.tld, ftp.other.tld
CN=other.tld SANs=first.tld, mail.first.tld, ftp.other.tld

But what about this third one, which adds one more host?

CN=first.tld SANs=other.tld, mail.first.tld, ftp.other.tld, imap.first.tld

Would that change make it a brand new certificate, making it the 1st, allowing for 4 renewals in the week?

Or did I misunderstand, and it would be the 3rd one because it includes all of the 2 previous ones, or the 2nd because it’s the CN that counts?


#8

In the first case, identical domains ( but with a different order ) … are a duplicate in terms of domains included - so would be subject to the 5 per week limit.

The second case ( adding an additional domain) is not a duplicate, therefore not subject to the 5/week limit. Each domain though ( first.tld, other.tld and firts.tld ) would have +1 added to the their count towards the 20 / week limit.

The description of rate limits is at https://letsencrypt.org/docs/rate-limits/


#9

OK. I had read the rate-limits page, but still didn’t quite understand it. It’s much clearer now.
Thanks a lot!


#10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.