Notification before rate-limit reached

I don't know what makes them "vulnerable", nor, frankly, why I should care. (edit: it should be obvious by now that the emotional appeals carry pretty close to zero weight with me.) But let me turn the question around--is their ignorance, combined with their inability or unwillingness to read and understand the documentation, "seriously a valid reason" to put in whatever effort it would take to implement this suggestion?

And to directly answer your question, yes--if Let's Encrypt doesn't meet their needs, they should look somewhere else. Is that in the least bit controversial?

Agreed, and I think this is the fundamental problem. And it makes me seriously question whether "Let's Encrypt is SSL for Dummies" was a wise marketing strategy.

7 Likes

I asked that once too and the reply was something like I had to be nicer to the "Dummies" on the Community here and that LE is literally for everybody, even your gran of 82!

3 Likes

Here's the exact text from the rate limits page:

A certificate is considered a renewal (or a duplicate) of an earlier certificate if it contains the exact same set of hostnames, ignoring capitalization and ordering of hostnames. For instance, if you requested a certificate for the names [ www.example.com , example.com ], you could request four more certificates for [ www.example.com , example.com ] during the week. If you changed the set of hostnames by adding [ blog.example.com ], you would be able to request additional certificates.

What "technical prowess" is needed to understand the last sentence in this paragraph?

7 Likes

I think it's more a question of general intelligence where the user needs to combine the two parts of the documentation. And the willingness to read that far.

2 Likes

Bingo. Which has a lot to do with why I won't spell it out any more--if they can't even read that far, their blood is on their own heads.

8 Likes

Hear hear @danb35, no argument from me!

2 Likes

OK. so "fix me Fix me" it is true. Happens all the time. Happened to me too.

I can relate. But maybe there should be a "newbie category" or some kind of indicator in the client that "your running out of requests" that lets users know that they have to pay attention. Just because individuals have "10 years of experience" in linux or IIS doesn't mean that they understand TLS/Encryption or the way it works.

IT admins are notorious for farming out SSL/TLS issues because it takes valuable time. This is convenient, but overall it is not productive.

Rate limits are a big thing here. Mostly due to a lack of research (and that's because we don't want to read).
Some folks need a leg up. Some folks need a whipping. Most people just need to know how to get s cert.

I suggest that new users (or so called admins) get some "pampering" to give them a chance to fix their issues.

Overall, the help form is pretty good at laying out the environment to give the real experts (you guys) the issues as what is really the problem at large. But will they fill it out?

I have read thousands of threads here. Many sites are now running on other certificates. It is OK. Do as you will. LetsEncrypt has a goal and a mission. If there's someone or a group that is not satisfied, so be it.

But we should try to satisfy those that have no other solution. Realize the issues that are presented by geography, politics or censorship.

Yeah I have opinions and attitudes, but I realize that we have to discern the issues and help where we can.

There is a real issue with countries or dominions that are censored. We should pay close attention to this as we evolve. Freedom of speech and EFF is all about free speech. We should be paying attention to this and helping where we can.

9 Likes

Thank you so much for the inspiring words, Rip. :blush:

7 Likes

I really don't understand how some can say "If they can't read the documentation and implement a solution based on that reading, then they deserve what they get.".
Then why are you even here?
Who do you decide to help?

Let's say:
I work at a pet shelter and a stray happens by and I say to it - "You know the streets. You should be smart enough by now to fend for yourself. Why are you asking for any help? And shoo it on its' way."
I should quit that job immediately and let someone else (who really cares) do that work.

Seems like most of the "facts" in this topic are taken out of context or skewed to fit a particular view.
Even when 99% of the people can figure it out, who are we to judge that 1% that didn't or couldn't?
Everyone can't be smart at everything they do!

Anything that would caution someone before exceeding a limit would be welcomed in my view.
They start with a green light and then get hit with a red light and are put into a penalty box.
The idea of a yellow light here makes all the sense in the world to me.
I don't know how much time, nor coding, it would take to implement such a change and I shouldn't be judging the result based on that factor (I'll leave that to those that would know and can assign such resources).

6 Likes

You don't have to be Einstein, the only thing I'd like to see is some amount of effort being put in. It's all about the attitude for me, personally.

I like to help people, I really do. Heck, it's my day job. But this Community isn't. Here, I can choose whom I'd like to help. And I really don't enjoy helping people who don't do any effort at all. I just don't enjoy it. At all.

2 Likes

Then you should choose NOT to reply at all in such cases.

Like my momma always told me: "If you ain't got nothing good to say..."

6 Likes

And let you guys 'n girls have all the fun pointing them to the rate limit documentation often literally included in the error message?

2 Likes

Does it bother you when others help those that "shouldn't need the help nor be helped"?

Don't get me wrong, I have avoided responding to topics (will be left unmentioned).
That (to me) sound like:
I don't know what I'm doing here.
Let me install this new software... it sounds fun!
Oh damn it doesn't work.
try try try
I can't get it to work.
hmm...
What can I do to fix this?
Oh, I know, I will run certbot and that will fail and then I can just ask those guys to fix it all for me!

5 Likes

Not really, only if someone hands out a solution where the user will just copy/paste the solution without actually understanding it and thus learn nothing.

That's probably the main issue I have with this feature request: will users learn from it? Currently, if you hit a rate limit, you're pretty sure to learn from it. I doubt if users which otherwise would hit a current rate limit would learn from this newly suggested limit.

2 Likes

You won't find me doing that (much).
I'm the guy with 100+ posts on a topic - yeah, step by step is my motto.
All the while trying to explain what and why along the way.
Because there will be others that may read that later too.

8 Likes

Isn't there a rate limit for that? :thinking: :laughing:

3 Likes

Yeah it gripes with like:
"You've responded X amount of times already..."
"Try inviting others into the topic..."

And I say:
"Judge me when it's all over!"
Because I won't stop until they are satisfied (and I am satisfied).

"All's well that ends well."

6 Likes

But we digress (as usual).

I say YES to the feature request for: "Notification before rate-limit reached"

Congratulations! (this is already shown)
You have now used 3 of the 5 allowed duplicate certs per week [this is what can/should be added]
Your cert can be found at ... (already shown)

And, if in manual mode, an additional prompt for full user interaction and acceptance/knowledge.

There is no silver bullet here.
If they are not running in manual mode (cPanel, CRON), then this notice will go un-noticed.
But if it can save even 10% of those that now fail, then it is worth the effort (IMHO).

Doing the numbers...
If they try twice a day via cron and it "fails" in this way, then in 2.5 days they will be blocked.
That leaves very little time for even an email notification.
But perhaps one should be sent none-the-less (where an email address is known).
They may have 27.5 days left to fix this problem (they know nothing about)!
If they are trashing a docker instance and redoing it over and over, the new log entries will also be trashed along with it...
Again, no silver bullet here.

8 Likes

All good reasons, rg305, for the additional rate-limit. :slightly_smiling_face: A warning message is usually not enough for a user to stop and take heed. I feel like this is partially a function of the deluge of information spat at the user by certbot. I think we've all seen topics where the user doesn't even notice the link to the rate-limits in the error output. Some would say laziness. While there are cases where this is certainly true, there are also cases where confused and timid users' eyes glaze over from all the techno-babble.

So...

Does Let's Encrypt (and certbot) usage need to be geeky and filled with techno-babble? (i.e. Can they be made more "usable" by the average Joe? Would anything of value truly be lost by doing so?)

What is the actual harm of implementing a two-duplicate-certificates-per-hour rate-limit?

Should a businessman, nurse, musician, or writer need to be a journeyman website admin in order to have a secure and functioning website for "simple" purposes?

7 Likes

I say "NAY"! I'm pretty sure this isn't a trivial thing to code into certbot (which would limit this feature to just this one client) nor into Boulder (and how should a client present this warning if we code it into Boulder?). While I don't think this is a great idea in the first place, I believe the effort to actually code it isn't worth it at all.

Unless it's written as a very well written PR by the Community, it would cost substantial coding time of a dev team already at its max.

Heck, I've got two PRs sitting out there, waiting for someone to even review them.. Let's not bother the dev team with a feature request like this. Too much effort for too little gain.

2 Likes