Hi, we are faced with an issue on our production, we have a number of subdomains configured with letsencrypt and going to move them to wildcard but getting an error about rate limits, could you please increase limit temporary or just disable it until we generate wildcard for that domain. Thanks for the help!
It produced this output: An unexpected error occurred:
There were too many requests of a given type :: Error finalizing order :: too many certificates already issued for: visitnow.org: see https://letsencrypt.org/docs/rate-limits/
My web server is (include version): nginx version: nginx/1.10.3 (Ubuntu)
The operating system my web server runs on is (include version): Ubuntu 16.06
My hosting provider, if applicable, is: godaddy
I can login to a root shell on my machine (yes or no, or I don’t know): yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no
Let’s Encrypt doesn’t lift the rate limits for individual cases. The only way to continue is to:
wait the appropriate amount of time (see the docs for how long)
request an exemption with the rate limit exemption form (link can be found in the rate limit docs, but it takes a lot of time for such a request to be processed)
ask the domain to be included on the Public Suffix List (but they are increasingly strict, so your use case really needs to conform to their idea of the purpose behind the Public Suffix List).
“If you’ve hit a rate limit, we don’t have a way to temporarily reset it. You’ll need to wait until the rate limit expires after a week. We use a sliding window, so if you issued 10 certificates on Monday and 10 more certificates on Friday, you’ll be able to issue again starting Monday. You can get a list of certificates issued for your registered domain by searching on crt.sh, which uses the public Certificate Transparency logs.”
Basically, you should only be waiting a week. Have you also looked into the renewal exemption?
“To make sure you can always renew your certificates when you need to, we have a Renewal Exemption to the Certificates per Registered Domain limit. Even if you’ve hit the limit for the week, you can still issue new certificates that count as renewals. An issuance request counts as a renewal if it contains the exact same set of hostnames as a previously issued certificate. This is the same definition used for the Duplicate Certificate limit described above. Renewals are still subject to the Duplicate Certificate limit. Also note: the order of renewals and new issuances matters. To get the maximum possible number of certificates, you must perform all new issuances before renewals during a given time window.”
Lastly, if you are hitting this regularly and do need a certificates per registered domain rate limit adjustment, please fill out the form in this doc: https://letsencrypt.org/docs/rate-limits/
We typically do rate limit adjustments once a week.
Y'all issuing certificates -- renewing them -- frequently. To create different certificates, you'll have to time it carefully, or defer renewing other certificates for a while.
You can also pursue getting a rate limit exemption from Let's Encrypt, as discussed above.
According to Let's Debug's math, you can issue a new certificate about 9 hours from now.
You've recently issued certificates for both visitnow.org and *.visitnow.org. While you can't get one certificate including both names right now, you can use the single name certificates you have now, or issue more of them (taking advantage of the renewal exemption to the rate limits). (Of course, that would further delay being able to create different certificates.)