Hi, I am trying to get a certificate from let’s encrypt, but it keeps failed with message popup: "Maximal certificate requests reached for this domain name". I have been get several certificate with this domain before (for testing and didn't know about the rate-limit before ), but it's been more than 34 hours since last time (according to doc: Rate Limits - Let's Encrypt).
Is there anyone could please tell me how long should I wait to give the next try? Many thanks
Yes, the Let's Encrypt server returns the exact date and time on which a retry may succeed. But, Synology often converts the messages from the LE server into its own so might lose that info.
Further, Synology itself might issue that error for things it decides are "too often".
In this case though you may only need to wait another day or so. You have gotten 5 identical (wildcard) certs in the last 7 days. So, once the oldest "rolls off" you should be able to get a new one.
That said, you are getting a lot of production certs. Getting certs is not your problem. Your system is not applying them properly. That's a better question for the Synology forum.
I had decided to wait another 7 days, but I just found another issue: I attempted to request a certificate on 2024-11-28 00:50:33 UTC, but Synology indicated that "Maximal certificate requests reached for this domain name." I initially thought this request had failed again. However, it seems that this request was successful based on the information from crt.sh: crt.sh | 15527947450.
I’m confused, is this Synology DSM system's bug? Is there any chance I can get it back somewhere on DSM's file system? Could you please try to explain what might have happened?
Hi~ I’d like to provide some additional information based on my calculations. I found that the time interval between my last certificate request on 2024-11-26 17:04:42 UTC and my recent request on 2024-11-28 00:50:33 UTC is only a little over 31 hours, which is shorter than the 34 hours mentioned in the documentation.
However, it’s strange that crt.sh indicates the creation was successful. Yet, after waiting for over 34 hours, when I tried to request again, it still didn’t work, and I couldn’t find any updated records on crt.sh.
Am I possibly missing some information here? Any insights would be appreciated, thanks!
Up to 5 certificates can be issued per exact same set of hostnames every 7 days. This is a global limit, and all new order requests, regardless of which account submits them, count towards this limit. The ability to request new certificates for the same exact set of hostnames refills at a rate of 1 certificate every 34 hours.
So I plan to wait another 34 hours since my last attempt. If the issue still persists, I will reach out to Synology support.
I’d like to clarify a fact here: the reason I have so many certificates is that I attempted to generate them multiple times without knowing there were limitations, rather than Synology applying for so many at once for me.
BTW, I just gave it another try (after waiting more than 34 hours since the last attempt), but the issue still persists. I've contacted Synology support, and I will update you if there’s any progress.
Yeah, let us know what happens from that. My thought was simply that because you're getting so many certs it was probably because your synology system wasn't applying or using the ones that it got. Because if your system was behaving well after getting the first cert why would you even need to get more?
It is all good. No worries. I am curious if you get any good instructions from them.
I want to say that changed within the last month. I don't know if the "leaky bucket" algorithm is new or just a clarification of how it works. I noticed it went in the same time it was noted that ARI renewals are exempt from most rate limits.
I think it was early this year that the LE server started including the date/time by which another request could be tried. Some of us were posting about seeing more than 5 certs / week. So, that was probably the start of experimenting with the leaky bucket (nice term<g>). And, yeah, the docs probably got refreshed along with other stuff last month.
I still don't recall ever seeing official notice of any of this though. I'd have thought we'd see something in API section. Oh well. It is more practical than blocking for possibly an entire week. But, perhaps needs the "refill" period needs to get longer the more frequently a requester renews "too soon" Renewing every 34H "forever" is poor practice. /rant off
There is no 34H rate limiting timer.
34H is just 1 week [168H] divided by 5 [33.6H and then rounded up].
So...
The actual rate limit is 5 certs in a week - and that is what the counter and timer are set to watch.
No, the LE docs now (as of last month it looks like) say every 34H an extra one is granted. So, if you got 5 certs in one day you could get a 6th in 34H.
The LE Rate Limit page had a major update.
This explains why we have seen (many) examples of 6 certs in one week and why the LE message suggests another can be requested in less than a strict 5/week limit.