I am very very very, confused about how the rate limits are applied I am getting failed: to many certificates issued for: 56kprojects.com, I do not understand this though, because I have looked in the transparent list published online, and according to that list I have not requested 20 certificates in the last 7 days, and I have also not requested 5 identical certificates either, I have done some renews and some requests, but the current request is for a san that contains some names used before and some new names so there for is not identical why is this getting rejected and how long is it before I have a full 20 requests again ?
20 certificates have been issued since 2018-02-05:
While you can continue to renew certificates due to the renewal exemption, you’ll next be able to issue 2 new certificates on 2018-02-12, 1 week after the 2 on 2018-02-05.
Okay, I think I understand how this is working now, so its a literal sliding scale, so how long would I need to not issue certificates for to be able to issue a full 20 certificates in on go ?
The domain’s most recent certificate was issued at 2018-02-10 00:56:03 UTC.
So about 2018-02-17 00:56:03.
Okay now I get it, thank you dude I seem to be having a serious logic malfunction this week lol
Can I ask how to do a search using the exact criteria you did on crt.sh for future reference please. I do now know what to type in the search box to return the same results you did. Thank You
* character commonly used as a wildcard character is already used in certificates as a wildcard character, crt.sh uses
% as a wildcard character, which is the wildcard character used in SQL databases.
So searching for
%.example.com will show certificates for
beta.example.com but not
example.com, while searching for
%example.com (without a dot after the
%) will return results for all 3 of those plus
Usually your domain name is unique enough that
%example.com is good enough though.
You can search from the homepage.
My search was specifically for certificates from the Let’s Encrypt Authority X3 intermediate, which issues all current Let’s Encrypt certificates, but not all past or future certificates.
If you want a command line alternative… some time ago I created this script and it could be useful to you (the info is retrieved from
Example (I’m not showing the entire output because it is very large):
$ ./lectl -su 56kprojects.com
lectl 0.12 (2018-January-17)
2018/February/11 20:42:29 - Checking certs for 56kprojects.com
I have found 62 non expired certificates (max number of certs searched: 100) for domain 56kprojects.com and its subdomains *.56kprojects.com
CRT ID DOMAIN (CN) VALID FROM VALID TO EXPIRES IN SANs
326705965 sip.56kprojects.com 2018-Feb-09 23:56 UTC 2018-May-10 23:56 UTC 88 days 56kprojects.com
326084256 sip.56kprojects.com 2018-Feb-09 02:17 UTC 2018-May-10 02:17 UTC 87 days 56kprojects.com
272344953 mail.56kprojects.com 2017-Dec-07 00:03 UTC 2018-Mar-07 00:03 UTC 23 days mail.56kprojects.com
Sorry, you can't issue any certificate, you already issued 20 certificates on last 7 days
You could issue next certificate on Monday 2018-Feb-12 05:38:00 UTC
Note 1: Keep in mind that if 56kprojects.com is included in PSL (Public Suffix List) the rate limit could only be applied to your subdomain instead of your domain.
Note 2: Right now Let's Encrypt is implementing a new feature so if you renew the exact cert (with the same FQDNs) the rate limit could not apply to your domain if you try to renew it.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.