I am very very very, confused about how the rate limits are applied I am getting failed: to many certificates issued for: 56kprojects.com, I do not understand this though, because I have looked in the transparent list published online, and according to that list I have not requested 20 certificates in the last 7 days, and I have also not requested 5 identical certificates either, I have done some renews and some requests, but the current request is for a san that contains some names used before and some new names so there for is not identical why is this getting rejected and how long is it before I have a full 20 requests again ?
While you can continue to renew certificates due to the renewal exemption, you’ll next be able to issue 2 new certificates on 2018-02-12, 1 week after the 2 on 2018-02-05.
Okay, I think I understand how this is working now, so its a literal sliding scale, so how long would I need to not issue certificates for to be able to issue a full 20 certificates in on go ?
Can I ask how to do a search using the exact criteria you did on crt.sh for future reference please. I do now know what to type in the search box to return the same results you did. Thank You
Since the * character commonly used as a wildcard character is already used in certificates as a wildcard character, crt.sh uses % as a wildcard character, which is the wildcard character used in SQL databases.
So searching for %.example.com will show certificates for www.example.com and beta.example.com but not example.com, while searching for %example.com (without a dot after the %) will return results for all 3 of those plus anotherexample.com.
Usually your domain name is unique enough that %example.com is good enough though.
My search was specifically for certificates from the Let’s Encrypt Authority X3 intermediate, which issues all current Let’s Encrypt certificates, but not all past or future certificates.
If you want a command line alternative… some time ago I created this script and it could be useful to you (the info is retrieved from crt.sh).
Example (I’m not showing the entire output because it is very large):
$ ./lectl -su 56kprojects.com
lectl 0.12 (2018-January-17)
2018/February/11 20:42:29 - Checking certs for 56kprojects.com
I have found 62 non expired certificates (max number of certs searched: 100) for domain 56kprojects.com and its subdomains *.56kprojects.com
CRT ID DOMAIN (CN) VALID FROM VALID TO EXPIRES IN SANs
326705965 sip.56kprojects.com 2018-Feb-09 23:56 UTC 2018-May-10 23:56 UTC 88 days 56kprojects.com
autodiscover.56kprojects.com
av.56kprojects.com
dialin.56kprojects.com
edge.56kprojects.com
imap.56kprojects.com
joomla.56kprojects.com
lyncdiscoverinternal.56kprojects.com
lyndiscover.56kprojects.com
mail.56kprojects.com
meet.56kprojects.com
moodle.56kprojects.com
owas.56kprojects.com
pbx.56kprojects.com
rd-gateway.56kprojects.com
remote.56kprojects.com
sharepoint.56kprojects.com
sip.56kprojects.com
skype.56kprojects.com
smtp.56kprojects.com
webconf.56kprojects.com
wordpress.56kprojects.com
www.56kprojects.com
326084256 sip.56kprojects.com 2018-Feb-09 02:17 UTC 2018-May-10 02:17 UTC 87 days 56kprojects.com
autodiscover.56kprojects.com
av.56kprojects.com
dialin.56kprojects.com
edge.56kprojects.com
imap.56kprojects.com
joomla.56kprojects.com
lyncdiscoverinternal.56kprojects.com
lyndiscover.56kprojects.com
mail.56kprojects.com
meet.56kprojects.com
moodle.56kprojects.com
owas.56kprojects.com
pbx.56kprojects.com
rd-gateway.56kprojects.com
remote.56kprojects.com
sharepoint.56kprojects.com
sip.56kprojects.com
skype.56kprojects.com
smtp.56kprojects.com
webconf.56kprojects.com
wordpress.56kprojects.com
www.56kprojects.com
[...]
272344953 mail.56kprojects.com 2017-Dec-07 00:03 UTC 2018-Mar-07 00:03 UTC 23 days mail.56kprojects.com
Sorry, you can't issue any certificate, you already issued 20 certificates on last 7 days
You could issue next certificate on Monday 2018-Feb-12 05:38:00 UTC
Note 1: Keep in mind that if 56kprojects.com is included in PSL (Public Suffix List) the rate limit could only be applied to your subdomain instead of your domain.
Note 2: Right now Let's Encrypt is implementing a new feature so if you renew the exact cert (with the same FQDNs) the rate limit could not apply to your domain if you try to renew it.
