Issues with the "Certificates per Registered Domain" rate-limit

ArikS · May 9, 2020, 11:21am

My domain is: appdomain.cloud

Our customers orders are failing today with errors such as:
*.d9197f8e-080a.us-south.knative.test.appdomain.cloud
status code: 429 and body: {“type”:“urn:ietf:params:acme:error:rateLimited”,“detail”:“Error creating new order :: too many certificates already issued for: appdomain.cloud: see https://letsencrypt.org/docs/rate-limits/","status”:429}
*.1190a7df-deff.us-south.knative.appdomain.cloud status code: 429 and body: {“type”:“urn:ietf:params:acme:error:rateLimited”,“detail”:“Error creating new order :: too many certificates already issued for: appdomain.cloud: see https://letsencrypt.org/docs/rate-limits/","status”:429}

How can I determine when the sliding window have started and when the rate-limit will expire?
when checking https://crt.sh/?q=knative.test.appdomain.cloud it seems that the last certificate was issued on 2020-05-02 06:12:50 UTC, but now its 2020-05-09 11:00:00 UTC and new orders keep failing.
When checking https://crt.sh/?q=knative.appdomain.cloud I see successful orders today and in recent days. So why the order for “*.1190a7df-deff.us-south.knative.appdomain.cloud” failed rate-limit?
We operate several LE accounts for ordering certificates. Is the “Certificates per Registered Domain” limit scoped to an account, meaning I can use another LE account to order certs for “appdomain.cloud” subdomains without hitting this limit?
How LE determined that the registered domain is “appdomain.cloud”. I couldn’t find it in https://publicsuffix.org/list/

orangepizza · May 9, 2020, 11:28am

as appdomain.cloud isn’t on surfix list, so entire appdomain.cloud zone considered a base domain, and limited 50 certificates per week. (like www.appdmain.cloud and eeeeee.appdamin.cloud use same 50 cert limits)

rg305 · May 9, 2020, 11:42am

You should use an FQDN from your own domain name.
[or one that is on the Public Suffix List]

_az · May 9, 2020, 11:46am

It's not really feasible to determine this exactly (unless you're Let's Encrypt), due to the fact that renewals are exempted from the Certificates per Registered Domain limit.

But for what it's worth:

The Registered Domain (appdomain.cloud) has used 3824 of 50 weekly certificates.

As above, it's because the certificates that did succeed were renewals, or because they managed to slide in as the rate limit window moved (just by pure luck).

It is global.

But cloud is listed. The Registered Domain is the Effective TLD (cloud) + 1 DNS label (appdomain).

The owners of appdomain.cloud should apply to Let's Encrypt for a global rate limit exemption, or otherwise apply to the PSL.

Osiris · May 9, 2020, 12:09pm

But, to be perfectly clear, NOT because that would enable users of appdomain.cloud to issue more certificates. That is not a valid reason to apply for the PSL.

ArikS · May 9, 2020, 12:28pm

@Osiris, @_az, we are using LE accounts with elevated rate-limit of Certificates/registered domain/week: 12,000, so why did we hit this rate-limit?
“The Registered Domain (appdomain.cloud) has used 3824 of 50 weekly certificates.”

JuergenAuer · May 9, 2020, 1:24pm

Hi @ArikS

If you use

different accounts, that may be the reason. An own rate limit is account specific -> other account, standard rate limit is used.

ArikS · May 9, 2020, 2:20pm

@JuergenAuer, all of our LE accounts have the elevated rate-limit of Certificates/registered domain/week: 12,000 so still unclear why the failures?

system · June 8, 2020, 2:21pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.