Let's Encrypt Renewing cert is same as Issuing cert?


#1

Hello,
I am using getssl client for Let’s encrypt.
I have question about renewing
1.Renewing certificate is Issuing newer certificate?
2. or Renewing certificate renews old same certificate?

If it 1 is right,
rate limits apply to renewing same as issuing?
thx.


#2

In essence, renewing is just requesting a new certificate with the same hostnames as the old one. When you add/remove some of the hostnames, it’s not a renewal.

See also: https://letsencrypt.org/docs/rate-limits/


#3

Hello, thx for your reply.
But I can’t understand that rate-limits.

It says
we have a Renewal Exemption to the Certificates per Registered Domain limit.

But, when I tried renewal with getssl, it archiving old certificate file & obtained new certificate.
If we have a renewal exemption, Can I renew infinitely? but I can’t renew certificate over 5 times?
I can’t understand. so can you describe this?
thx.


#4

You can see the rate limits at https://letsencrypt.org/docs/rate-limits/ or summarized at Rate Limits for Let's Encrypt:

Renewal is essentially getting a new certificate, but it is an exact duplicate, so it is a “limit on issuing certificates with the exact same set of names: 5 certificates per FQDN set per week.”

Yes, you can renew infinitely into the future, but not more than 5 times in any 7 day period. from the document you refer to

We also have a Duplicate Certificate limit of 5 certificates per week. A certificate is considered a duplicate of an earlier certificate if they contain the exact same set of hostnames, ignoring capitalization and ordering of hostnames. For instance, if you requested a certificate for the names [www.example.com, example.com], you could request four more certificates for [www.example.com, example.com] during the week. If you changed the set of names by adding [blog.example.com], you would be able to request additional certificates.

getssl will, by default, not renew if the certificate is valid for more than 30 days, so you can put that in a cron to renew every day, and it will only renew the cert every 60 days.


#5

I PERFECTLY understand that.
so thank you for detail.

Renewal is essentially getting a new certificate, but it is an exact duplicate, so it is a “limit on issuing certificates with the exact same set of names: 5 certificates per FQDN set per week.”

Always thx.


#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.