PSL - too many certificates for registered domain


We have the following domain on the Public Suffic List -
We can properly get certificates for * however when we try to get a certificate for * we hit the following rate limit:

{ type: 'urn:acme:error:rateLimited',
detail: 'Error creating new cert :: too many certificates already issued for:',
status: 429 }

There’s only one certificate issued for and domains which can be properly renewed every two months via certbot.

According to the rate limits we should be able to get new certificates for * since we’re not hitting the 20/week certificates limit for registered domains.

Is this correct?

This was a bug, but it was fixed in May… Maybe there’s a regression, or corner case?

What’s your domain? Maybe there really were 20 sundry certificates issued recently.

@mnordhoff - I remembered there was such a bug, but couldn’t find it. Thanks.
The domain is

@mnordhoff - any ideas what could be wrong?

@cpu, do you have any code that can easily replicate the rate limit calculation given a Public Suffix List listing of at least some subdomains? It seems possible that the PSL logic is being applied incorrectly here, or maybe that this organization is issuing enough certificates under their top-level domain (which isn’t on the PSL) to cause problems.

Or is it possible that if you have on the PSL and don’t have on the PSL, issuance under that reaches the certificates per registered domain rate limit could also prevent from issuing?

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.