ISP Issued too Many Certificates Under TLD - Customers are Not Able to Issue More

Hi,
Such a complex title for a simple thing :slight_smile:
So, I used letsencrypt from the very beginning and I probably misused it from the beginning:
I have one domain, says domain.fr.nf (fr.nf is a domain name extension not declared public) and several sub domains, sub1.domain.com, …
I initially created one certificate for each subdomain. It worked fine but I find it hard to maintain (I need to change things in the apache config every time a renewal is needed)
So I’d like to change so taht all subdomains are “transferred” to the parent domain.
I know how to expand the parent cert to add subdomain but this creates new certs and I constantly get the “too many certs for this domain” because fr.nf is not declared as public.

So is there a way to transfer the existing certificate for the domain sub1.domain.fr.nf to domain.fr.nf without re creating it (which I can’t)?

Certificates can’t be transferred together (i.e. merged) in any way.
They are separate and independent and remain that way throughout their existence.
You can, however, request one single certificate that may contain up to 100 names.
Which may cover your domain plus all your subdomains.
This multiple name concept is called “Subject Alternate Names” or just “SAN”.
So that the one cert can have many alternate names / uses.

Hi @rg305
Thanks for your reply.
I’m using the following command to try to expand my existing cert (levillain.fr.nf) to a subdomain named cops.levillain.fr.nf (I already succeeded with storage.levillain.fr.nf so I put it again in the command line or else I lose it):

certbot-auto certonly --apache -n --cert-name levillain.fr.nf --expand -d cops.levillain.fr.nf -d storage.levillain.fr.nf -d levillain.fr.nf

Is that the good way to obtain what you’re calling SAN ? Cause with this command I get the message:

There were too many requests of a given type :: Error creating new cert :: too many certificates already issued for: fr.nf

So how can I get rid of this issue?

Hi @leolivier,

Yes, it is.

The problem is that you are using a free domain, *.fr.nf but fr.nf is not included in Public Suffix List, this means Let’s Encrypt sees every subdomain as part of the main domain fr.nf so it applies the rate-limits, in this case 20 certificates per 7 days. As it is a free domain, usually it is used for a lot of people and many of them also want their certificate so it will be very hard to get a cert for all your domains. You was lucky to get one or two certificates but was only that… luck.

You could buy a cheap domain or even get a free domain from freenom for example and you won’t share the rate limits used by Let’s Encrypt.

Cheers,
sahsanu.

Hi @sahsanu,
Yeah, that’s basically what I said in my first post:

fr.nf is a domain name extension not declared public

and I know all the stuff about the rate limits: I’m fighting with this since months but still, my point is that my certificate for levillain.fr.nf already exists!
So, why does letsencrypt complain when I just want to expand it to another sub domain?
This is not a new certificate (or is it?). If it’s really a new certificate then I give up but I don’t think so: it’s the same certificate expanded to more domain names, so it should not be counted in the rate limits…
Also, to @rg305, let’s say I don’t want to merge my existing sub domain certificates: as soon as I can expand the parent cert, I’ll revoke the subdomain one, so technically it’s not a merge

(btw, fr.nf is provided by azote.org and is an extension not limited in time whereas you must renew all the freenom domains at least every year. The drawback is that it has almost no support at all, I asked azote.org to add the extensions in the public list 3 times with no answer at all)

Yes it is, you are not renewing a certificate with the same subset of domains, you are adding more so yes, it is a new and different certificate that will count against the rate limits.

Ok, I surrender :confused:

I know this rule is confusing, but basically the rate limits exist to stop people from getting an unreasonably large number of certificates for their own personal sites. The certificate authority doesn’t have a way to know that fr.nf isn’t just one person’s personal site (since, as you said at the beginning, it’s not on the Public Suffix List and I guess has also not asked Let’s Encrypt for a rate limiting exemption).

Because rate limits were causing certain problems, a special case was made that you can always renew the exact certificate that you already have (if you have not already done so recently). However, this special case is hard-coded to refer to the exact certificate that you already have, not a related one that is slightly larger or smaller. If your certificate becomes larger or smaller with more or fewer names, it’s not considered “renewing” your existing certificate and the logic of the special case isn’t applied. If this were not so, the rate limit code would need to be even more complicated, or people would be able to work around the limits by adding or removing a single domain at a time.

I also know that Let’s Encrypt has been causing challenges for the PSL because quite a lot of domains have started trying to list on the PSL just for the benefit of getting a rate limit exemption. However, I guess the options in your situation would continue to be:

  • Ask the people who run fr.nf to apply for a Let’s Encrypt rate limit exemption.

  • Ask the people who run fr.nf to list on the Public Suffix List.

  • Switch to a different free domain provider that already has an exemption.

  • Register your own domain name.

  • Script your certificate request so that you retry it periodically, in the hope of eventually getting your desired certificate. (Once you have gotten it, you will be able to renew it indefinitely, because of the renewal exemption.)

Hi @shoen,
Thanks for such a detailed and explained answer. Actually, I had thought to your arguments already, that’s why I gave up arguing yesterday.
And I already chose the last solution temporarily:
I’m trying every two hours to get my certificate with a daemon, because changing my domain name is too complex for now…
Thanks again to all…

Just for your info, the next time you could issue a new certificate would be aprox. at Monday 2017-Jun-12 13:05:00 UTC. Indeed, between 13:00 UTC and 14:00 UTC 3 certificates would be "removed " from the limit so it could be a good timeframe to try to get your certificates.

Edit: keep in mind that hours are UTC, so for example if you live in France you should add 2 hours to the above time.

Good luck,
sahsanu

Thanks so much @sahsanu !

BTW, is there a way to get this kind of information in a public way? Or do you keep it secret (what I could understand)

@leolivier, you are welcome.

Yes, this is ultra secret… just kidding. All the issued certs by Let’s Encrypt are public available. You can search the certificates issued for fr.nf here https://crt.sh then you can check the last 20 issued certificates for fr.nf and add 7 days to the first issued certificate so you will get an approximation of the time where you could be able to try to get your cert.

By the way, I use my own script to check it, it gets the information from crt.sh but using a command line. You can get this script here https://github.com/sahsanu/lectl

Note: I’ve detected a bug in my script (I’ll try to fix it this weekend). If the output of certificates is 100 or more (is the case of fr.nf), it is not displayed correctly in the console but at the bottom you will get an approximation of the time when you could get a new cert.

Edit: The bug commented above is fixed in lectl version 0.9.

Sorry, you can't issue any certificate, you already issued 20 certificates on last 7 days
You could issue next certificate on Monday 2017-Jun-12 13:05:00 UTC

Cheers,
sahsanu

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.