Public beta rate limits

Ok, thanks i see too many certificates, probabily they was my attempts to generate the certificate.

I have revocked one of my certificate, how can I invividuate the valid one?

The domain is: mail.agostinelli.eu

But I haven’t the pem file…

@magostinelli FYI, revoking a certificate will not free the slot for a new one. You have to wait for your rate-limit window to expire.

Also, you should use staging for testing.

Apparently you do, because your site (RoundCube) is served with a valid Let’s Encrypt certificate…

The certificate you show in the website it’s revoked, it’s not ok.

I dont’t know why I have only one certificate in /etc/letsencrypt (the revoked one), but on the crt.sh website there is 3 certificates!

I know that revoking it’s not free the slot, but I haven’t the other certificate that result on the the website.

/etc/letsencrypt/live/ will only contain symlinks to the most recent cert for each domain. The actual cert along with all previous ones are in /etc/letsencrypt/archive/

Yes, in the archive directory I had the same folder then live folder. So, noe i Must wait 11th of February, and I have two certificates on the website that I don’t have on the server. I hope on 11th I will be able to get a new certificare without problem, also when i renew it, because there too many certificates with the same common name.

Hello,
I update my case, today 7 days has benn passed from the first certificate, but I receive the same error:
Error creating new cert :: Too many certificates already issued for:

These is a scheduled task (or similar) that run at certain time, so i must wait it runs?

My guess is you will need to wait a few more hours … you can check the time of day that your first certificate was issued at https://crt.sh/ If you created the first certificate at 4pm, then you will have to wait until after 4pm on the 7th day.

Update: now it’s working, only come minutes after the time of creation of the first certificate!

@jsha Hey I just hit a 429 trying to register on Staging. I’m not doing anything near 500 Reg/IP per 3 hours. I’ve probably registered about 50 times in the past few hours.

What’s going on?

[EDIT: just got new IP address and I can register fine]

Is it possible to re-download a certificate & key I already created? I didn’t realize there was a rate limit, so while testing automation around renewal, I deleted the /etc/letsencrypt directory entirely…

The certs you can get from the CT logs, the private keys however stay on your server only unless you backed them up elsewhere.

1 Like

Why do people keep doing that?

1 Like

Is it possible to request a manual, one-time reset of the rate limit for a specific domain?

Yes. You do this by waiting 7 days :slightly_smiling:

Seriously though, the entire point of LetsEncrypt is that it should work automatically with minimal amount of human support … otherwise the model will never work. If you managed to hit the limits, you accidentally broke this model. You should fix whatever you did so that this doesn’t happen again.

And then you wait until the time-limit expires. In the meantime, if you are really stuck, you use a certificate from a different provider. StartSSL would be an obvious choice.

Hopefully, once the public-beta is over, this will be handled in a more user-friendly way. But for now, that’s what you agreed to put up with, when you decided to take part in the beta program.

1 Like

Fair enough :slightly_smiling: I hit the limit by testing the command several times for the purpose of automation. Lesson learned!

I wish the documentation was a little bit more “in your face” about using the staging servers for this purpose. They have no (or really high?) limits. So, they work great for debugging automated scripts; but they don’t serve publicly-recognized certificates. So, they are not suitable for production use.

1 Like

Not all of us are doing this “by mistake”. Some of us have a dozen separate servers, such that using a single combined cert isn’t an option. Hopefully something suitable is done post-beta to alleviate this.

I wrote / use https://github.com/srvrco/getssl for automatically running the script across multiple remote servers if that helps ( as long as you have ssh access with keys to the remote servers, then you can automatically add the challenge codes etc to those servers ), if it’s just the automation issues that is preventing you having a combined cert.

Alternatively, you can use DNS to manage the challenges, and verify different servers …

You get 5 certificates per domain and week. With a limited lifetime of 90 days and renewal after 60 days, that gives you about 8 weeks to stagger your requests. In other words, you can have 5*8 = 40 sub-domains for each of your domains. If you need more than that, maybe it would make sense to add your domain to the public suffix list (effectively lifting this limit)?

Or maybe, I don’t understand @nneul’s problem quite right.