Maximal certificate requests reached for this domain name

Hi, I am trying to get a certificate from let’s encrypt, but it keeps failed with message popup: "Maximal certificate requests reached for this domain name". I have been get several certificate with this domain before (for testing and didn't know about the rate-limit before :frowning: ), but it's been more than 34 hours since last time (according to doc: Rate Limits - Let's Encrypt).

Is there anyone could please tell me how long should I wait to give the next try? Many thanks :slight_smile:

My domain is: hulizhen.synology.me

I ran this command: I am trying to get a certificate from let’s encrypt in my synology NAS

It produced this output: Maximal certificate requests reached for this domain name

My web server is (include version): -

The operating system my web server runs on is (include version): DSM 7.2.2-72806 Update 2

My hosting provider, if applicable, is: -

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): -

Hello @hulz413, welcome to the Let's Encrypt community. :slightly_smiling_face:

Probably about 168 hours - 34 hours which equals 134 hours or 5.583 days would be that longest time needed to wait.

Testing and debugging are best done using the Staging Environment as the Rate Limits are much higher.

And to assist with debugging there is a great place to start is Let's Debug.

3 Likes

Yes, the Let's Encrypt server returns the exact date and time on which a retry may succeed. But, Synology often converts the messages from the LE server into its own so might lose that info.

Further, Synology itself might issue that error for things it decides are "too often".

In this case though you may only need to wait another day or so. You have gotten 5 identical (wildcard) certs in the last 7 days. So, once the oldest "rolls off" you should be able to get a new one.

That said, you are getting a lot of production certs. Getting certs is not your problem. Your system is not applying them properly. That's a better question for the Synology forum.

4 Likes

Here are community forums for Synology that may be of assistance.

  1. https://community.synology.com/enu
  2. https://www.synoforum.com/
  3. https://synocommunity.com/
4 Likes

@Bruce5051 @MikeMcQ
Thank you for your responses!

I had decided to wait another 7 days, but I just found another issue: I attempted to request a certificate on 2024-11-28 00:50:33 UTC, but Synology indicated that "Maximal certificate requests reached for this domain name." I initially thought this request had failed again. However, it seems that this request was successful based on the information from crt.sh: crt.sh | 15527947450.

I’m confused, is this Synology DSM system's bug? Is there any chance I can get it back somewhere on DSM's file system? Could you please try to explain what might have happened?

Thank you for your help!

2 Likes

Hi~ I’d like to provide some additional information based on my calculations. I found that the time interval between my last certificate request on 2024-11-26 17:04:42 UTC and my recent request on 2024-11-28 00:50:33 UTC is only a little over 31 hours, which is shorter than the 34 hours mentioned in the documentation.

However, it’s strange that crt.sh indicates the creation was successful. Yet, after waiting for over 34 hours, when I tried to request again, it still didn’t work, and I couldn’t find any updated records on crt.sh.

Am I possibly missing some information here? Any insights would be appreciated, thanks!

Yes. You should consult with Synology support for help operating their device.

Let's Encrypt does not have any rate limit that mentions "34 hours". That must be a Synology thing.

Certs that appear in crt.sh were issued. Full stop. Sometimes there can be long delays before an issued cert appears there. Even 24H or longer delay.

The insights you seek will come from Synology :slight_smile:

4 Likes

Thank you for your reply :slight_smile:

The "34 hours" is mentioned here: Rate Limits - Let's Encrypt

Up to 5 certificates can be issued per exact same set of hostnames every 7 days. This is a global limit, and all new order requests, regardless of which account submits them, count towards this limit. The ability to request new certificates for the same exact set of hostnames refills at a rate of 1 certificate every 34 hours.

So I plan to wait another 34 hours since my last attempt. If the issue still persists, I will reach out to Synology support.

2 Likes

Well, that is very recent! I saw some stray comments about these being adjusted but don't remember a formal notice it was implemented.

Thanks for pointing that out. I will need to review that Rate Limit page for other info.

Yes, if the error persists then it's really a Synology message. Which is what I think it is.

Something is clearly not working well for you to be getting so many certs. I think a discussion with them is warranted anyway :slight_smile:

3 Likes

I’d like to clarify a fact here: the reason I have so many certificates is that I attempted to generate them multiple times without knowing there were limitations, rather than Synology applying for so many at once for me.

BTW, I just gave it another try (after waiting more than 34 hours since the last attempt), but the issue still persists. I've contacted Synology support, and I will update you if there’s any progress.

Thanks :slight_smile:

1 Like

Yeah, let us know what happens from that. My thought was simply that because you're getting so many certs it was probably because your synology system wasn't applying or using the ones that it got. Because if your system was behaving well after getting the first cert why would you even need to get more? :slight_smile:

It is all good. No worries. I am curious if you get any good instructions from them.

3 Likes

I want to say that changed within the last month. I don't know if the "leaky bucket" algorithm is new or just a clarification of how it works. I noticed it went in the same time it was noted that ARI renewals are exempt from most rate limits.

2 Likes

I think it was early this year that the LE server started including the date/time by which another request could be tried. Some of us were posting about seeing more than 5 certs / week. So, that was probably the start of experimenting with the leaky bucket (nice term<g>). And, yeah, the docs probably got refreshed along with other stuff last month.

I still don't recall ever seeing official notice of any of this though. I'd have thought we'd see something in API section. Oh well. It is more practical than blocking for possibly an entire week. But, perhaps needs the "refill" period needs to get longer the more frequently a requester renews "too soon" :slight_smile: Renewing every 34H "forever" is poor practice. /rant off

4 Likes

I agree, I was also a little surprised that there was no official notice either; I just happened to come across that by accident.

No disagreement there!

3 Likes

There is no 34H rate limiting timer.
34H is just 1 week [168H] divided by 5 [33.6H and then rounded up].
So...
The actual rate limit is 5 certs in a week - and that is what the counter and timer are set to watch.

2 Likes

No, the LE docs now (as of last month it looks like) say every 34H an extra one is granted. So, if you got 5 certs in one day you could get a 6th in 34H.

The LE Rate Limit page had a major update.

This explains why we have seen (many) examples of 6 certs in one week and why the LE message suggests another can be requested in less than a strict 5/week limit.

3 Likes