PSL - too many certificates for domain



I have opened a thread in July 2017 (PSL - too many certificates for registered domain) which has been closed due to inactivity.

Has there been any progress?
I’m still experiencing the same issue.



@cpu, could you please look into this issue? It refers to rate limits on, where subdomains

are already on the PSL.

@ceecko, do you have an example of a list of domains for which this error was recently returned?


I will add it to my queue.


@jsha IIRC you answered a question related to this recently. Is this something you know the answer to off-hand?


This one?


Yep, that’s the previous thread. Essentially, issuance for a parent domain gets checked against subdomains; in the case of issuance for a parent domain that is also a public suffix, there are likely to be very many certificates counting against the limit for subdomains. I think the right fix here is changing the renewal rate limit so that ordering doesn’t matter.


@schoen I’ve tried the following


@cpu @schoen do you need any more info?


Hi @ceecko,

I understood the question to be resolved by @jsha’s previous answer. Apologies for not replying to say as much.

The order of renewal vs new issuance matters. We understand that it is difficult to coordinate for a parent domain that is a public suffix and need to fix that renewal calculation but it isn’t work slated for development in the short term.


Thank you for replying @cpu
I think it’s important to mention that it’s not possible to issue or extend a certificate with new subdomains which are not part of PSL. Adding a subdomain such as to the certificate is not possible because it requires issuance of a new certificate and that fails.

Basically, we’re stuck with the original certificate and cannot extend it :confused:
We’d be grateful if this received a priority but I understand there could be more pressing issues…


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.