K8s Cert Manager Rate Limit

jinoa · December 21, 2020, 7:52pm

We are running into rate limitting issues when trying to create certs in dev.flatiron.io
We use a wild card certificate *.flatiron.io and are deplying cert manager on kubernetes. Can we update our rate limit to be greater than the default? Perhaps 100?

My domain is: flatiron.io

I ran this command: cert-manager

It produced this output:

My web server is (include version): nginx

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

JuergenAuer · December 21, 2020, 8:06pm

Hi @jinoa

please share your exact error message.

jinoa · December 21, 2020, 8:24pm

Hi! Below is my error:
82s Warning OrderFailed certificaterequest/immuta-dev-letsencrypt-tls-xfd6r Failed to wait for order resource "immuta-dev-letsencrypt-tls-xfd6r-3358397139" to become ready: order is in "errored" state: Failed to create Order: 429 urn:ietf:params:acme:error:rateLimited: Error creating new order :: too many certificates already issued for exact set of domains: immuta.dev.flatiron.io: see https://letsencrypt.org/docs/rate-limits/

JuergenAuer · December 21, 2020, 8:46pm

Then you have all you need.

Please use one of these certificates 60 - 85 days, then create the next (one).

It's a waste of Letsencrypt resources creating certificates again and again.

That's not a reason to increase the rate limit.

jinoa · December 21, 2020, 9:05pm

Ahh that makes total sense.
How can I find out how many certificates I currently have?

Osiris · December 21, 2020, 9:17pm

You've been wasting Let's Encrypt resources for quite some time now:

Especially since July this year (but even before that) there are many, MANY duplicate certificates for all kinds of subdomains of your domain name. Sometimes just a few, sometimes A LOT of duplicates.

This is poor usage of a free service IMO and frankly, to me this is abuse of the service. Every certificate issued costs Let's Encrypt resources. Not only at the moment of issuance, but the entire lifetime of the certificate OCSP responses have to be signed, adding load to the Hardware Security Modules. More load means more resources means more money to spend. And that for a company solely running on sponsorships and donations.

Please stop your abuse and store any issued certificates on a persistent storage, so you only have to issue them once.

jinoa · December 21, 2020, 9:59pm

Thank you - We will review this now and make sure to address. I was unaware of the mis-use.

schoen · December 22, 2020, 2:18am

I think many people simply don't realize this, because they don't understand the role of HSMs. While the Rate Limits page mentions this, it's still fairly common for people to put automated issuance into a non-persistent container, without really meaning any harm.

@griffin, did you say you were working on a revision to the rate limits documentation? Can you think of anywhere that Let's Encrypt could better communicate that, while certificates are free of charge, people ought to avoid wasteful (especially duplicative) issuance?

griffin · December 22, 2020, 3:00am

Overhaul is basically done. I'll try to emphasize the "cost" a bit more though.

I did specifically mention the dangers associated with automated environments and ephemeral instances.

schoen · December 22, 2020, 4:03am

That's really nice work! I'll pop over to GitHub and offer some of my own comments.

Edit: my comments have been offered!

system · January 21, 2021, 3:19am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.