Problem attempt create certificate for domains

#1 is the most commun domain of the mucipalitys in Sao Paulo State here in Brazil,

When I’am try get one, the following warning display, see in attachmet

Too many certificates for SP.GOV.BR

Hi @rafaelbassora,

Let’s Encrypt has various rate limits to prevent people from abusing the service. Unfortunately, you’ve run into one of those here.

Since the municipalities are different entities, it isn’t the goal of this policy to stop them from having their separate certificates. There is a procedure to request an override for the rate limits which might be applicable here. However, the procedure should be invoked by someone who is responsible for the administration of the domain name in question (not just an end user). Do you know who runs

I also speak Brazilian Portuguese so I can correspond with them if that would be helpful (or I can help translate the rate limit documentation if they don’t understand the issue). (If you want, you can add me as a recipient on e-mail in Portuguese with them; my address is my forum username here plus

There is also an option to get the rate limit lifted by adding the domain to the Public Suffix List.

This is used by browsers and makes their treatment of cookies more correct (without it, for example, if one municipality sets a cookie, it can probably be read by another municipality’s site, which is probably not the correct behavior for security and privacy reasons), so it might be a benefit. This also needs to be done by the people who are responsible for the domain name.


I also wonder if other Brazilian states give Internet domain names to their municipalities in the same way. It’s natural that the state of São Paulo would run into this problem first, but other states could have the same difficulty in another year or two. Maybe the CGI could undertake a project to get each Brazilian state’s domain listed on the Public Suffix List?


Yes, @schoen , the default for all federation units is


I will try to find the contact with PRODESP staff, this site has an email I do not know if I will be able to … *


tks for your reply :wink:


What would you think about also presenting the topic to CGI?


The CGI has thrown the responsibility of domains control to the state governments that register the domains of the municipalities, I believe they will not be able to help us in this matter, I find it easier to solve the problem by increasing the limit for domains that have .gov do not think ?


I contacted PRODESP responsible for, I copied it in the email, okay? :wink: Tks!


I’ve replied to your e-mail to try to explain to them why the Public Suffix List would be a good solution in this case.


It’s very difficult to talk to the Prodesp people, but I’m trying … It’s hard to be without a certificate lol kkk rs


There might also be some sensitivity about this topic because of the AC-Raiz Brasileira, which is not accepted by default by major browsers, but I have the impression that the people operating it wish it would be more widely used by Brazilian government entities.


No solution to the problem … unfortunately, let’s change our domain or buy the certificate


Did you get any reply from PRODESP?

I’m sad to just let this fail, because we can see that the problem arose because many municipalities are actively using the service:

So Let’s Encrypt is already popular with other municipalities in your state, and each one will potentially have the same kind of problem that you did in the future.


The Brazilians do not have the same sense of solidarity that you Seth, unfortunately … I think it’s an insoluble issue, they do not have a direct channel, I do not think Prodesp knows what https:


Sabe essa lista que você me mandou os do eu que criei mais cedo, será que têm como remover/revogar.


Vou responder em inglês para que outros entendam:

Revoking a certificate does not affect the rate limits at all; they are calculated on the basis of new issuance of certificates, not on the basis of the total number of certificates in existence. This also means that if people wait long enough, they may be able to issue new certificates even when many other certificates exist.

The rules are a little bit complex, but the most important thing for these purposes is that revoking existing certificates won’t change the rate limits or allow more new certificates to be issued.


I would really like to try to bring this up with some other entities. It’s hard to me to believe that there isn’t some potentially responsible entity that would care about this.


I have the same problem here.
I’ll try to get the email of prodemge. They administer the domain
mydomain is


Hi @LucianoECunha,

I will send you a copy of the longer note in Portuguese that I sent to Prodesp. It hasn’t produced a useful response so far, but maybe the additional arguments and explanations there will be helpful to you in your discussions. (Feel free to send my message to anyone else if you think it may be useful.)

Also, if one state decides to act on this, maybe that fact will then be useful in the future with other states.