Limit on Renewals?


#1

When i issued my certificates, i had quita a bit of problems with the api limits. Soon i will need to renew the certificates.
Will there be the same limit for renewals?

Because this would mean, i need to time the renewals with the same time distance as when the certs were issued to avoid running in the same limit and not being able to renew in time. This has quite a bit of potential to break things, if it doesn’t work well on the first try of renewal.


#2

Renewing a certificate is no different from issuing a new certificate. The same rate limits apply. If it makes sense for your setup, try to group as many domain names as possible on the same certificate (this is called a SAN certificate) to avoid running into the certificates per domain limit. The official client supports this by passing multiple -d arguments.


#3

i already grouped some domains and would like to keep my certificate structure. But i needed to wait a week for a second batch of certificates, so i guess i need to do the same when they need renewal.


#4

@allo, this is correct according to current policy. There have been some proposals to relax the rate limit for certs that are renewals of existing certs using the same account when the existing cert is near expiry, but no such policy change has been implemented yet.

I don’t know where the Boulder team is on this, but it might be useful to file an issue on the Boulder GitHub issue tracker

describing the nature of the problem and proposing a policy change, just to make it clear what the alternatives might be. (I’m sorry to the Boulder team if there’s already a related change in progress that I’m not aware of.)


#5

They closed the issue and told me we should discuss this here.


#6

Hi @allo,

We’re definitely working on ways to ensure that certificates already issued can be renewed, including e.g. https://github.com/letsencrypt/boulder/issues/1434. If you find yourself unable to renew certs that you already issued, please let us know here. It will help inform our continuing efforts.

Thanks,
Jacob


#7

I am not yet having a problem. I had to wait one week to get all certificates done, so there is a bit of free space. And i try to renew them as soon as possible by adding monitoring currently.


#8

The issue looks good. Limits to prevent mass registrations, but allowing to get more and more certificates as they are needed. I am looking forward to such a policy.


#9

Hi @jsha, I was very keen to know if the todays acme ca server update will integrate the code of @rolandschoemaker to solve the ratelimit issue for renewals. For me it seems not to be integrated or working in the new release, because i already getting back the rate limit message for my renewal. How can i get informed if this issue is solved?
Nevertheless many thanks for your good job, Andres


#10

Thanks for reporting. What’s your domain, so I can investigate?


#11

My domain is phacops.spdns.de Maybe its because the certificat was already expired since end of february?


#12

Yes, that’s likely the cause. We still need to do one more operational step: backfilling the FQDNSets table so that Boulder knows about older issuances, from before we started filling the table. @roland has a ticket filed for that, and it should be done soon-ish. We’ll announce once that’s done.


Let's Encrypt certificate expiration notice
Expiration emails
#13

Thank you for explanation, so I will be patient for a while :slight_smile:


#14

I’m receiving the following upon my attempt to renew. Current cert is still vailid for domain ‘Hobbyistpool.ddns.net’. I have ~18 days before it expires, I’ll keep trying.

An unexpected error occurred:
There were too many requests of a given type :: Error creating new cert :: Too many certificates already issued for: ddns.net


#15

Today, A different problem.

Upon running “./letsencrypt-auto renew” …

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/hobbyistpool.ddns.net/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

  • The following errors were reported by the server:

Domain: hobbyistpool.ddns.net
Type: connection
Detail: DNS problem: query timed out looking up A for
hobbyistpool.ddns.net

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you’re using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.

Checked DNS, A record valid. HTTPS is serving …

Temporary problem LE server side? or is it my side?


#16

Seems to be a DNS-related outage, there are a couple of other users reporting this:


#17

Thanks for the quick reply, I’ll wait it out.


#18

DNS issue appears fixed, Back to rate-limits … I’ll try tomorrow…

urn:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new cert :: Too many certificates already issued for: ddns.net. Skipping.


#19

Hello @Hobbyist,

Just for your info, if the database is not backfilled this week (so the boulder knows that you are trying to renew your existing certificate and your domain won’t hit the rate limits for ddns.net)… the next time you should try to issue a certificate for your domain would be on Friday 2016-Apr-01 22:16:00 UTC.

Good luck,
sahsanu


#20

However, you might also be competing with other ddns.net users for the ratelimit slots because it looks like that’s a public dynamic DNS provider.