Thanks for these replies everyone, they are very helpful and help with the learning process for this. This is part of my first long awaited venture into SSL and Let’s Encrypt and I feel I’ve been getting the hang of it pretty nicely but still have a way to go.
The newest domain was registered in early December, so I don’t believe that could be an issue.
They gave me some of the supposed log info, like the following. First a bunch of these for affected addon domains:
8:xx:xx PM The website “exampleaddon.example.com”, owned by “username”, has a faulty SSL certificate (OPENSSL_VERIFY:0:18:DEPTH_ZERO_SELF_SIGNED_CERT NOT_ALL_DOMAINS). AutoSSL will attempt to replace this certificate.
Heres the full error logs for the account from LetsEncrypt. [I.e., the rep was referring to the above.]
8:xx:xx PM WARN (XID wkzbf3) The ACME function “https://acme-v01.api.letsencrypt.org/acme/new-cert” indicated an error: “Error creating new cert :: too many certificates already issued for: example.com: see https://letsencrypt.org/docs/rate-limits/ (The request exceeds a rate limit)” (429, “Too Many Requests”, urn:acme:error:rateLimited). at bin/autossl_check.pl line 679.
You have exceeded your rate limits for LetsEncrypt. https://letsencrypt.org/docs/rate-limits/ Please check this out and see why the limits were set. You will have the certificates issues eventually however we are not holding it up, LetsEncrypt are.
I added bold to that last sentence, because…
That last sentence about “eventually” is nonsense, yes?
Here is my current understanding:
When you are using shared cPanel hosting with a “main domain” to which you add “addon domains,” there is a fixed “rate limit” of the total # of LE certificates that can be installed which pertain in any way to that main domain. Ergo, any certificate issued for exampleaddon.example.com and the “www.exampleaddon…” version is considered to be a certificate for main domain example.com, and will fail if you have reached the total # limit for example.com
Next, my understanding from reading the rate limits page is that there is no limit on the number of distinct domains for which the LE certs can be issued, hence you still have the option to LE secure exampleaddon.com and every permutation of it which does not include main domain example.com if the addon itself does not have too many subdomains. Not only is that my understanding of the LE rate limits page, but that has also been my experience (though unfortunately not with this host).
The problem with the host I am dealing with re this issue is that they do not allow shared hosting customers to have access to the means of manually securing the addons after you have reached the rate limit for the main domain, so you have to wait for their cron job to secure them. But their cron job or script which supposedly runs every 20 minutes has failed to do that.
So it seems both that the support rep is contradicting what has already been indicated about the rate limit, and is just schmoozing me with baloney about how the certificates will be applied at some nebulous future “eventually.”
My understanding is that the rate limit in this case is a fixed number, only unless you apply for and are granted an increase, and that for “plan B” in which you proceed to secure the addons as distinct domains, the only rate limit if you do not have many subdomains for each which you would be concerned about would be the 10 certs per 3 hours per IP.
Some of the support staff have also said what I think is nonsense about how Let’s Encrypt functionality is not native to cPanel and therefore other hosts who allow customers to have more control to “Issue” and install Let’s Encrypt in cases like this have made some special proprietary plugin or something. Sure, strictly speaking yes, I don’t doubt Let’s Encrypt is “not purely native” to cPanel, but so what. In my observation that appears to be partially false bamboozling. It seems to me that cPanel has been working with Let’s Encrypt and there is standard functionality which has been created to be plugged into or used with cPanel, even if each provider is able to do some degree of customization. For example, it seems the “Issue” feature is a standard item, not something each host dreamed up on its own with differing code. And I seriously doubt everyone running and talking about “AutoSSL” simply dreamed different versions of that by the same name up on their own.
So my understanding is that it cannot be true that the addons will “eventually” be covered, assuming anyone wants to live and operate that way, and that the support rep must be wrong about that.
My understanding is that this particular host could easily allow this standard “Issue” functionality to shared hosting customers, could also allow them to run AutoSSL manually while excluding subdomains that fall under the rate limit on the main example.com hosting domain, just as numerous other hosts do this or that or both, but that they are simply trying to push people into more expensive plans before people are ready or are even close to needing such more expensive plans.
And yes, if any of my observations and understanding of what I have learned and experienced so far is off in any way, do please let me know. My experience so far is certainly consistent with what I’ve written, however.