Last certificate months ago, still getting "too many certificates already issued"?

peterthomassen · 2017-04-14 13:03:17 UTC

Hi.

The last time I requested a certificate for dedyn.io was on Feb 3, as can be seen from https://www.google.com/transparencyreport/https/ct/#domain=dedyn.io&incl_exp=true&incl_sub=false

I just requested a new one (with an additional domain name), and now get “too many certificates already issued for: dedyn.io”. How can that be?

Thanks,
Peter

mnordhoff · 2017-04-14 14:19:26 UTC

You need to tick the “Include subdomains” box:

https://www.google.com/transparencyreport/https/ct/#domain=dedyn.io&incl_exp=true&incl_sub=true

A large number of certificates for subdomains of dedyn.io are issued on a daily basis.

schoen · 2017-04-14 17:08:50 UTC

If it is a public dynamic DNS provider, the provider should try to list on the public suffix list (https://www.publicsuffix.org/). Other dynamic DNS providers have done so already.

peterthomassen · 2017-04-14 18:43:14 UTC

dedyn.io already is on the Public Suffix List, so subdomains don’t count. For dedyn.io itself, as I said, the last certificate was requested in February.

Any other ideas why I can’t request a new one? In my opinion, this should not happen.

schoen · 2017-04-14 20:44:29 UTC

@cpu, is dedyn.io currently in the list of rate limit exemptions as a result of its PSL listing?

jsha · 2017-04-14 21:51:16 UTC

@schoen, it is.

I suspect this may be a bug in the rate limiting code in Boulder, and how it interacts with public suffixes. If dedyn.io is on the public suffix list, that means each subdomain gets its own rate limiting bucket. For instance:

FQDN                  | Rate limit bucket
www.foo.dedyn.io      | foo.dedyn.io
foo.dedyn.io          | foo.dedyn.io
www.bar.dedyn.io      | bar.dedyn.io
dedyn.io              | dedyn.io

Unfortunately, the code that implements this makes an assumption that no rate limit bucket is a subdomain of another rate limited bucket. Specifically CountCertificatesByName “counts, for each input domain, the number of certificates issued in the given time range for that domain and its subdomains.” In this case, that gives the wrong answer for dedyn.io, since there are a large number of certificates issued for subdomains of dedyn.io.

I’ll file an issue and get it fixed. In the meantime, a partial workaround would be to issue a certificate with all of those FQDNs except the exact “dedyn.io” one. I realize that’s unsatisfactory, but it looks like https://dedyn.io isn’t currently serving a valid certificate, so it wouldn’t be much worse than the situation today.

Thanks for flagging this issue!

peterthomassen · 2017-04-15 10:06:01 UTC

@jsha Thanks for taking care of this! Would you mind posting a link to the issue here so that I can keep track? Thanks!

sahsanu · 2017-04-15 10:12:27 UTC

Hi @peterthomassen

You can find the issue here https://github.com/letsencrypt/boulder/issues/2681.

Cheers,
sahsanu

system · 2017-05-15 10:25:59 UTC

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

cpu · 2017-05-25 17:29:01 UTC

Hi @peterthomassen,

Good news! The rate limiting bug you encountered here has been fixed in production. You shouldn’t encounter this problem for the dedyn.io domain going forward.

Apologies on the long turn around time for this! We had a few unrelated incidents occur that delayed this being activated in production. I appreciate your patience

Have a great day,