IP ratelimit and privatekey problem in beta


I have two problems.


I successfully issued a certificate but the acme client used the wrong private key :confused: What I have done wrong here?

2015-10-22 19:35:57,830:DEBUG:letsencrypt.cli:Arguments: ['--agree-dev-preview', '--key-path', '/tmp/DOMAIN1.key', '--server', 'https://acme-v01.api.letsencrypt.org/directory', '--agree-tos', '-d', 'DOMAIN1.de', '-d', 'www.DOMAIN1.de', '-d', 'DOMAIN2', '-d', 'www.DOMAIN2', 'auth'] 

But the privatekey is different it should be

/tmp# openssl rsa -in DOMAIN1.key -outform der -pubout | openssl dgst -sha256 -binary | openssl enc -base64 writing RSA key OScZJ5fDgNuqNqo+xHrDKxVJokWioxTiDFT5gstFios=

The privatekey the client saved in the live folder is a different key

/etc/letsencrypt/live/DOMAIN1# openssl rsa -in privkey.pem -outform der -pubout | openssl dgst -sha256 -binary | openssl enc -base64 writing RSA key fUKt6ELVayGZqyZnI6EZFVL+WfImEwW1v++HJdrRZk4=

I use hpkp and with this my site won’t work. And why I have to whitelist any subdomains? I tried git. and cdn. and got the error that the domain isn’t whitelisted :frowning:


I tried the staging site to test the client and couldn’t bring it to verify the challenges but my ip became not blocked. But on the live api my ip and the whole /29 inetnum are blocked.

The Account id is 80d0aabb72ed307595e8a00b3f93a266

Best Regards

Hi Knight,
I think you might have surpassed the rate limit. Possibly when using:
DOMAIN1.de’, ‘-d’, ‘www.DOMAIN1.de’, ‘-d’, ‘DOMAIN2’, ‘-d’, ‘www.DOMAIN2’

Here you are requesting 4 certs. At the moment only 2/week can be generated if I understand how things are now. It may take a week before you can try again?


I don’t think that’s how it works, with:

-d DOMAIN1.de -d www.DOMAIN1.de -d DOMAIN2 -d www.DOMAIN2

You request one certificate with four SAN entries, so it should count as one certificate for the rate limit.


[Beta Program Announcements][1]
[1]: https://community.letsencrypt.org/t/beta-program-announcements/1631

Maybe I am reading this wrong?

--.. Archer

I think that they mean 4 single certificates. And that's not my main problem because i switched to another host system so i circumvent the ratelimit atm. My Problem is that i can't re-issuance the certificate as per the information on the FAQ. But as i can see it is somehow possible to do this.

Frist: crt.sh | 10287626
Second: crt.sh | 10287942
Third: crt.sh | 10288987
Fourth: crt.sh | 10288986

All issued within 3 hours and for one single domain.

But still i don't know why the acme client doesn't used my own privatekey :frowning:

1 Like

Very nitpicker-like, but ACME is the protocol used, so it's not an "ACME client" but just a "LE client".
(Sorry, I had to say this :stuck_out_tongue_winking_eye:)


ACME is the used protocol and you can specify the server, even another one not being LE. So I’d say it’s an ACME client, additionally, it’s also an LE client, because LE supports (only) ACME. :wink:


I figured out, that i have to use the csr function which is really crap with san certs. But hey it works https://crt.sh/?id=10308507 :smile:

Ah okay. That’s true if the author wanted to say this in a more general way. :smile:

(the nitpicker goes on…)
… this bug report (“it did not used my own private key”) refers to the LE client, because other (currently not existent) ACME clients obviously do not have to have this bug.
And it’s also no bug in the protocol, but in the client implementation (of this specific client), so IMHO it’s clearly better to say “LE client” here.

Edit: Don’t ask me why smileys like :smile: (:smile:) are now displayed in black/white style…
Test: :slight_smile: :smiley:

If you cannot see this here is the image it shows: