One of the Let's Encrypt rate limits has been exceeded

Hi

I'm getting exceeded certs limits message - I have created 1 SSL request in the last month - the error/message is wrong - anybody come across this and can help - many thanks.

My domain is: easylib.co.uk

One of the Let's Encrypt rate limits has been exceeded

My hosting provider, if applicable, is: fast2hosts.com

Richard

It is helpful to know the exact message returned by the Let's Encrypt server.

But, I'll guess it relates to 50 certs / week for the same registered domain name.

While the specific name easylib.co.uk was not issued many certs there are a large number of certs for subdomains of that name.

Can you explain more about why there are so many? Are these subdomains shared within the same organization or are they different? Because the best path forward depends on that.

From the docs message " The main limit is Certificates per Registered Domain (50 per week)."

Here is just a partial list of recent certs issued. I didn't count them but there were a very large number issued on Aug27 alone.

3 Likes

Hi Mike

Thank you so much form taking the time to get back to me.

I’ll add more information to see if this can help you add some more advice…

Can you explain more about why there are so many? Are these subdomains shared within the same organization or are they different? Because the best path forward depends on that.”

I’ve got about 400 sites/web apps for customers – each customer has their own site e.g. newcustomer.easylib.co.uk – Is there something strange about this??

These have been added over the last 10 years or so – about 40-70 per year – this is why I’m puzzled as to hitting a limit e.g. 50 per week (I’m assuming the 50 includes new and re-newed certs?)

Averaging out over 12 months we are looking at around 30 per month – maybe I don’t fully understand the way Lets’ Encrypt counts these.

How did you get this btw

image

Kind Regards

Richard Griffiths

1 Like

Hi Mike

Thank you so much form taking the time to get back to me.

I’ll add more information to see if this can help you add some more advice…

Can you explain more about why there are so many? Are these subdomains shared within the same organization or are they different? Because the best path forward depends on that.”

I’ve got about 400 sites/web apps for customers – each customer has their own site e.g. newcustomer.easylib.co.uk – Is there something strange about this??

These have been added over the last 10 years or so – about 40-70 per year – this is why I’m puzzled as to hitting a limit e.g. 50 per week (I’m assuming the 50 includes new and re-newed certs?)

Averaging out over 12 months we are looking at around 30 per month – maybe I don’t fully understand the way Lets’ Encrypt counts these.

How did you get the little report btw??

Kind Regards

1 Like

Well, that tells me you are almost certainly reaching the 50 certs / week / registered domain limit.

This does not count cert renewals only new issuances for that name (or a subdomain) so perhaps you had an unsually large number of new customers on Aug27 perhaps :slight_smile:

There are many public cert lookup tools I used https://crt.sh. Be sure to use their Advanced settings and check "Exclude Expired Certs". Because otherwise your history is too large and will timeout (and put stress on crt.sh itself). Also choose "DeDuplicate" to avoid seeing both the Precert and the Leaf certs.

As to the way forward, given these are customers you should register that name in the Public Suffix List: https://publicsuffix.org/ See that page but one reason is the management of cookies for your customers. This also changes how Let's Encrypt Rate Limits work. The PSL isn't used solely for rate limits as there is a form if just a rate limit needs changing. It is just the best approach for registered names that are shared like this.

It takes some time (weeks probably) to get into PSL and have that recognized by Let's Encrypt. Post here after you get on PSL to check.

Here are key bits from the Rate Limits page

If you’re working on integrating Let’s Encrypt as a provider or with a large website please review our Integration Guide.

The main limit is Certificates per Registered Domain (50 per week). A registered domain is, generally speaking, the part of the domain you purchased from your domain name registrar. For instance, in the name www.example.com, the registered domain is example.com. In new.blog.example.co.uk, the registered domain is example.co.uk. We use the Public Suffix List to calculate the registered domain. Exceeding the Certificates Per Registered Domain limit is reported with the error message too many certificates already issued, possibly with additional details.

...

Renewals are treated specially: they don’t count against your Certificates per Registered Domain limit, but they are subject to a Duplicate Certificate limit of 5 per week. Exceeding the Duplicate Certificate limit is reported with the error message too many certificates already issued for exact set of domains .

3 Likes

Hi

It still times out for me!!

“This does not count cert renewals only new issuances for that name (or a subdomain) so perhaps you had an unusually large number of new customers on Aug27 perhaps “

Seems very unlikely to me – I would register 6-10 maybe at most in a week let alone a single day – so still not sure although you seem quite happy that the 50 limit would/could be reached.

As the limit is done on a rolling date can I assume this issue will sort of resolve itself as the days pass by??

Will I get more issues going foreward if say I add another say 40-50 new sites spread over the next 12 months?

Kind Regards

Richard Griffiths

1 Like

If your ACME Client showed the exact message that came from the Let's Encrypt server we would know for sure which of the rate limits you were exceeding.

I see about 100 certs issued in the past week. Some of those are sure to be renewals so don't count against the 50/week. Crt.sh can be easily overloaded by other people. It is sometimes hit and miss.

That said, the PSL still seems best way forward for you for the super-cookie reason alone.

Yes, it is a rolling limit. I don't have quick way to show the recent history I saw on crt.sh but below is pic of some from Aug27. Many were for what looks like cPanel type names. Were you experimenting with a different config setup?

That would not be enough by itself to trigger the 50/week/registered-name limit.

3 Likes

Hi Mike

Can I get back to you on this – go to disappear for a while – pick up Sunday – really appreciate your help here to understand things.

Kind Regards

Richard Griffiths

2 Likes

Hi Mike

I’ve now managed to get a list of my SSL certs.

I can see quite a lot of old web-sites – I’ve overlooked deleting/cancelling the SSL cert.

Is there a way to do this – I can see in my Plesk interface I can unattached and even delete the cert – I’m assuming this will help (removing deleting no longer needed SSL certs)

1 ) Will these steps remove from Lets Encrypt.?

  1. You mentioned CPanel – this was on an old server that I don’t have access to anymore so there may be well be

a) sites with SSL certs from that server

b) sites on my current PLESK server that I’ve deleted but not explicitly deleted the SSL cert.

how to I habdle these scenarios.

Finally in the SSL list I can see entries – what are these as they seem to have a cert associated

Autodiscover.xxx.co.uk

Mail.xxx.co.uk

Webmail.xxx.co.uk





|

  • |




    |




    |

I appreciate I’ve asked a lot of questions and thank you once again for your time/effort.

Kind Regards

Richard Griffiths

1 Like

It will at least make monitoring what is happening easier. But, continuously renewing certs don't affect the 50/week limit per registered name.

I am not an expert at Plesk so not sure. What I do know is some program must request a cert and satisfy the challenge to get one from Let's Encrypt. Every renewal must do this too not just new domains.

To stop renewing certs you need to find the program making those requests and stop it.

Once a cert is issued it is permanently recorded. You can delete it from your local system but it will continue to exist in LE's records and places like the public cert logs (as shown by crt.sh).

Yes, those names are commonly used by cPanel systems. Again, you will have to track down where that is and how to control it. Are some customers able to request certs by themselves for subdomains of your apex domain? Maybe that is how they got there.

If someone were requesting certs "on the side" this could contribute to a 50/week limit.

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.