Problem with limit

Hello, I am having a certificate creation limit problem, do you have a business version or something that I can use without limits?

Nope, everyone uses the same version of the service.

The rate limits are documented at

https://letsencrypt.org/docs/rate-limits/

If you are providing services for a large number of different entities under the same domain name, there’s a form there where you can request a rate limit increase. This increase is free of charge, if approved.

Yes today . I am using in milvus.com.br my client can create subdomains, we uploaded this update today and we are facing this limit problem. I have not been able to generate more certificates, and I’m with clients because of this.

We’re checking out by leaving https just in http.

How do I submit to this form requesting a raise?

I’m noticing you’re issuing certificates for each subdomain individually. Is there any reason each one needs it’s own individual certificate? You get 20 certificates/domain/week, and each one can hold up to 100 subject alternative names, for a total of 2,000 subdomains per week.

The increased rate limit form can be found in the Overrides section of the Rate Limit article @schoen linked. This is it, but I’d recommend using the one in that document as it will update for any changes, but my post will not.

Note that it will take a few weeks to process that limit increase request.

I’m also noticing that you’re re-issuing some certificates after only a few days. It would help if you only renewed when the certificates were closer to expiry (e.g. portal and milvusteste were issued today when you also had these same certificates issued 4 days ago.)

Hi @felipealvesbezerra,

Se você precisar, também posso ler e escrever português e posso esclarecer quaisquer dúvidas em português. Pelo presente vou escrever essa resposta em inglês para deixá-la mais acessível aos outros leitores no fórum.

The rate limit exemption request form is found at

It does not appear to me that you will be eligible for this exemption right now, for reasons that might be clear from the information below.

https://crt.sh/?Identity=%milvus.com.br&iCAID=16418

shows that you have issued a large number of certificates with just one subdomain per certificate. You might not be aware that a certificate can cover more than one domain name (by Let’s Encrypt policy, a Let’s Encrypt certificate can cover up to 100 names). You are also using most or all of these certificates for a web site hosted on the same server. So it would be possible to get just one certificate that will cover all of your current domain names!

All browsers accept this technology.

It’s true that this would allow users to see the fact that all of these customers are hosted on the same server, but there are many ways that they could determine that already if they are interested.

According to the lectl software, which helps analyze the rate limit status:

You could issue next certificate on Friday 2017-Jul-21 04:19:00 PDT

That would be 08:19:00 BRT. At that time, you should be able to issue one certificate that applies to all of the names that you’ve already issued for and any more names that you want to be covered, up to 100 in total. If you don’t understand how to do this, please just ask here, describing what Let’s Encrypt client software you’re using.

Another thing which is not always clear to people is that according to the current rate limit logic (which is going to be relaxed in the near future), you should always issue new certificates (that cover new sets of domain names) before renewing existing certificates. Renewals of existing certificates count against the certificates per registered domain rate limit, but they are not restricted by it. So they should be done last in order to allow you to issue the largest possible number of certificates.

By managing your certificate issuance carefully, you can get about 2000 additional new subdomains covered each week under the existing rate limits, plus renewals of any existing certificates.

1 Like

I tried that way and got blocked in the same way.

You can only do it starting after 08:19:00 BRT on July 21.

(The rate limit applies to the total number of certificates issued, regardless of whether each certificate contains 1 name or 100 names.)

Entendi, só que não posso esperar ate dia 21 de julho, nesse momento estou removendo eles do meus clientes e vou analisar melhor o que fazer.

Infelizmente, nem existem ferramentas para resetar os limites em casos indivíduos. Todo usuário que já enfrentou esse problema teve que esperar antes de emitir mais certificados.

Espero que você encontrar uma solução boa para o prazo até dia 21.

Beleza, Obrigado!

Estou removendo o certificados e criando sem!

As I understand it, renewals no longer need to be done last, given this commit https://github.com/letsencrypt/boulder/commit/71f8ae0e8756a5645a9f8cbac5f6726feb264f1b was deployed into production on July 13th. The docs at https://letsencrypt.org/docs/rate-limits/ haven’t been updated to match though.

UPDATE: As per this comment in GitHub, the new mechanism has been deployed into prod, but not activated. We should be hearing some good news soon!

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.