Order of renewals as of July 20th, 2017 - Not accurate?

yegor · August 10, 2017, 12:57am

The order of renewals and new certificate issuance is no longer important for the renewal exemption since July 20th, 2017.

Has this actually been implemented? In the last 168 hrs I generated 4 new certificates, and renewed 16. I tried to issue a new certificate and I got error 429: "too many certificates already issued for...."

Each certificate has a common name and 6 SANs, which are 6 unique sub-domain, 4 of which are on a different TLD. For example: crt.sh | 187348881

Why am I hitting the 20 limit?

rg305 · August 10, 2017, 1:04am

You may have miscounted or misconfigured some of the list groups.
Take a look at:
https://crt.sh/?q=us-east.windscribe.com

yegor · August 10, 2017, 1:28am

This certificate is indeed "bad": crt.sh | 186074981

However the remaining 4 that were generated for this domain are all good, and unique, as the SANs are all unique except for "us.windscribe.com" and "us-east.windscribe.com" which must be present in all certs that start with us-xxx.domain.com.

Does this get counted towards the duplicate limit somehow? It shouldn't if I'm reading this correctly:

For instance, if you requested a certificate for the names [www.example.com, example.com], you could request four more certificates for [www.example.com, example.com] during the week. If you changed the set of names by adding [blog.example.com], you would be able to request additional certificates.

jared.m · August 10, 2017, 1:33am

The change mentioned regarding ordering of issuance and renewals no longer mattering has been rolled back. There was a post earlier about it from bmw or jsha.

jared.m · August 10, 2017, 1:35am

See the last post in this thread: Rate limit update: removal of renewal and new-issuance ordering constraints

yegor · August 10, 2017, 1:41am

Ahh, well, that makes sense. Any idea when this will be restored?

cpu · August 10, 2017, 1:08pm

Hi @yegor, as @jared.m mentioned (Thanks!) this change has been removed. I changed the website code yesterday to remove the documentation you're referencing ~~but the live website hasn't been updated yet (I'll make sure that happens today)~~. The website itself was updated this morning. Apologies for the confusion.

There's no estimate at the present time. It will likely be several weeks out. We need to revisit the implementation and part of this will require doing an expensive database migration on a large table in the prod DB to add a new field.

Thanks for understanding,

yegor · August 10, 2017, 2:52pm

@cpu Okay, thanks for the feedback.

Not to derail the topic, but how does one get a rate limit adjustment? We filled out this form (https://docs.google.com/forms/d/e/1FAIpQLSfg56b_wLmUN7n-WWhbwReE11YoHXs_fpJyZcEjDaR69Q-kJQ/viewform?c=0&w=1) months ago, and never heard back.

We operate hundreds of servers worldwide and heavily rely on LE. Sometimes we need to provision 30+ servers in a single day, which requires us to wait a whole week before we can put them into production due to the 20/week limit. We issue a certificate for each individual server, and for security reasons they cannot have SANs for multiple servers.

Thanks!

cpu · August 10, 2017, 2:55pm

Can you DM me the information you submitted? I will follow up

system · September 9, 2017, 2:55pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.