We have the following domain on the Public Suffic List - sub.example.com.
We can properly get certificates for *.sub.example.com however when we try to get a certificate for *.another.example.com we hit the following rate limit:
{ type: 'urn:acme:error:rateLimited',
detail: 'Error creating new cert :: too many certificates already issued for: example.com',
status: 429 }
There’s only one certificate issued for www.example.com and example.com domains which can be properly renewed every two months via certbot.
According to the rate limits we should be able to get new certificates for *.another.example.com since we’re not hitting the 20/week certificates limit for registered domains.
@cpu, do you have any code that can easily replicate the rate limit calculation given a Public Suffix List listing of at least some subdomains? It seems possible that the PSL logic is being applied incorrectly here, or maybe that this organization is issuing enough certificates under their top-level domain (which isn’t on the PSL) to cause problems.
Or is it possible that if you have foo.example.com on the PSL and don’t have example.com on the PSL, issuance under example.com that reaches the certificates per registered domain rate limit could also prevent foo.example.com from issuing?