Our customers orders are failing today with errors such as:
*.d9197f8e-080a.us-south.knative.test.appdomain.cloud
status code: 429 and body: {“type”:“urn:ietf:params:acme:error:rateLimited”,“detail”:“Error creating new order :: too many certificates already issued for: appdomain.cloud: see https://letsencrypt.org/docs/rate-limits/","status”:429}
*.1190a7df-deff.us-south.knative.appdomain.cloud status code: 429 and body: {“type”:“urn:ietf:params:acme:error:rateLimited”,“detail”:“Error creating new order :: too many certificates already issued for: appdomain.cloud: see https://letsencrypt.org/docs/rate-limits/","status”:429}
How can I determine when the sliding window have started and when the rate-limit will expire?
when checking https://crt.sh/?q=knative.test.appdomain.cloud it seems that the last certificate was issued on 2020-05-02 06:12:50 UTC, but now its 2020-05-09 11:00:00 UTC and new orders keep failing.
When checking https://crt.sh/?q=knative.appdomain.cloud I see successful orders today and in recent days. So why the order for “*.1190a7df-deff.us-south.knative.appdomain.cloud” failed rate-limit?
We operate several LE accounts for ordering certificates. Is the “Certificates per Registered Domain” limit scoped to an account, meaning I can use another LE account to order certs for “appdomain.cloud” subdomains without hitting this limit?
as appdomain.cloud isn’t on surfix list, so entire appdomain.cloud zone considered a base domain, and limited 50 certificates per week. (like www.appdmain.cloud and eeeeee.appdamin.cloud use same 50 cert limits)
It's not really feasible to determine this exactly (unless you're Let's Encrypt), due to the fact that renewals are exempted from the Certificates per Registered Domain limit.
But for what it's worth:
The Registered Domain (appdomain.cloud) has used 3824 of 50 weekly certificates.
As above, it's because the certificates that did succeed were renewals, or because they managed to slide in as the rate limit window moved (just by pure luck).
It is global.
But cloud is listed. The Registered Domain is the Effective TLD (cloud) + 1 DNS label (appdomain).
The owners of appdomain.cloud should apply to Let's Encrypt for a global rate limit exemption, or otherwise apply to the PSL.
But, to be perfectly clear, NOT because that would enable users of appdomain.cloud to issue more certificates. That is not a valid reason to apply for the PSL.
@Osiris, @_az, we are using LE accounts with elevated rate-limit of Certificates/registered domain/week: 12,000, so why did we hit this rate-limit?
“The Registered Domain (appdomain.cloud) has used 3824 of 50 weekly certificates.”