Is New Cert Rate Limit REALLY exceeded?!

JasonBSteele · March 4, 2023, 12:45pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: jbs.my.to

I ran this command:

It produced this output:

[DNSLookupFailed](https://letsdebug.net/jas.my.to/1395617#DNSLookupFailed-Fatal)

FATAL

A fatal issue occurred during the DNS lookup process for my.to/CAA.

DNS response for my.to/CAA did not have an acceptable response code: SERVFAIL

[RateLimit](https://letsdebug.net/jas.my.to/1395617#RateLimit-Error)

ERROR

jas.my.to is currently affected by Let's Encrypt-based rate limits (https://letsencrypt.org/docs/rate-limits/). You may review certificates that have already been issued by visiting https://crt.sh/?q=%my.to . Please note that it is not possible to ask for a rate limit to be manually cleared.

The 'Certificates per Registered Domain' limit (50 certificates per week that share the same Registered Domain: my.to) has been exceeded. There is no way to work around this rate limit. The next non-renewal certificate for this Registered Domain should be issuable after 2023-03-04 12:43:20 +0000 UTC (2m0s from now).

My web server is (include version): nginx

The operating system my web server runs on is (include version): DSM 7

My hosting provider, if applicable, is: N/A

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): yes DSM UI

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): Unknown

Why is Lets Debug telling the domain is invalid?
Why is it telling me over 50 certs have been requested in the last week when https://crt.sh/?q=my.to shows that none have?

JasonBSteele · March 4, 2023, 12:54pm

I have been trying to renew and then recreate for the last few days and it has just now succeeded.

I haven't changed anything so I can only assume I got lucky with a rate limit on the my.to domain shifting into another week window. (I tried again immediately after LetsDebug said I should try again).

But this still doesn't explain why the rate was apparently exceeded even though crt.sh said that none had been requested. However, it is suspicious that it was telling me that none had been requested in years!

Osiris · March 4, 2023, 12:59pm

crt.sh often has trouble with domains for which many, MANY certs are issued. Other CT log sites such as Entrust Certificate Search - Entrust, Inc. might give better results.

Also, Afraid.org, the owner of the my.to domain, is known for their poor quality DNS, so that might explain the hick-up regarding the SERVFAIL. I could not reproduce it myself.

With regard to the rate limit: Afraid.org apparently refuses to add their free subdomain domains to the Public Suffix List. Note that this is a SECURITY ISSUE which is the main purpose of the Public Suffix List. While not the purpose of the Public Suffix List, Let's Encrypt uses the PSL to define the "registered domain" to which the rate limits are calculated. As there are many certs issued for subdomains of the my.to domain name and Afraid.org doesn't add their domains to the PSL, you're going to run into rate limits quite often.

JasonBSteele · March 4, 2023, 1:42pm

Many thanks for this quick, informative, response!

system · April 3, 2023, 1:43pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.