PSL - too many certificates for domain

ceecko · November 20, 2017, 5:18pm

Hi,

I have opened a thread in July 2017 (PSL - too many certificates for registered domain) which has been closed due to inactivity.

Has there been any progress?
I’m still experiencing the same issue.

Thanks

schoen · November 20, 2017, 5:21pm

@cpu, could you please look into this issue? It refers to rate limits on evennode.com, where subdomains

eu-2.evennode.com
eu-3.evennode.com
eu-4.evennode.com
us-1.evennode.com
us-2.evennode.com
us-3.evennode.com
us-4.evennode.com

are already on the PSL.

@ceecko, do you have an example of a list of domains for which this error was recently returned?

cpu · November 20, 2017, 5:22pm

I will add it to my queue.

cpu · November 20, 2017, 5:50pm

@jsha IIRC you answered a question related to this recently. Is this something you know the answer to off-hand?

mnordhoff · November 20, 2017, 5:57pm

This one?

jsha · November 20, 2017, 6:13pm

Yep, that’s the previous thread. Essentially, issuance for a parent domain gets checked against subdomains; in the case of issuance for a parent domain that is also a public suffix, there are likely to be very many certificates counting against the limit for subdomains. I think the right fix here is changing the renewal rate limit so that ordering doesn’t matter.

ceecko · November 20, 2017, 9:47pm

@schoen I’ve tried the following

evennode.com
www.evennode.com

ceecko · December 1, 2017, 5:26pm

@cpu @schoen do you need any more info?

cpu · December 1, 2017, 5:29pm

Hi @ceecko,

I understood the question to be resolved by @jsha’s previous answer. Apologies for not replying to say as much.

The order of renewal vs new issuance matters. We understand that it is difficult to coordinate for a parent domain that is a public suffix and need to fix that renewal calculation but it isn’t work slated for development in the short term.

ceecko · December 1, 2017, 5:45pm

Thank you for replying @cpu
I think it’s important to mention that it’s not possible to issue or extend a certificate with new subdomains which are not part of PSL. Adding a subdomain such as newsubdomain.evennode.com to the certificate is not possible because it requires issuance of a new certificate and that fails.

Basically, we’re stuck with the original certificate and cannot extend it
We’d be grateful if this received a priority but I understand there could be more pressing issues…

system · December 31, 2017, 5:45pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
PSL - too many certificates for registered domain Issuance Policy	5	1926	August 18, 2017
Too many certificates already issued for: dlinkddns.com","status":429 Issuance Policy	22	12809	February 21, 2016
Too many SSLs issued to a domain? Issuance Policy	22	6094	February 19, 2016
Too many certificates for SP.GOV.BR Issuance Tech	18	4425	July 22, 2017
Rate limits passed Issuance Policy	4	1368	January 4, 2017

PSL - too many certificates for domain

Related topics