Nope: the Registrations/IP address limit is 10 per 3 hours, but the Certificates/Domain limit is 5 per 7 days.
Guys, this 5 in 7 days limit is really frustrating and not usable for usā¦
Our usecase is that we have subdomain for each of our customers, f.e.
customer1.mydomain.com
customer2.mydomain.com
customer3.mydomain.com
ā¦
And each of them has an own server and we need for each of them a seperate subdomain certificate.
This service is really nice in general already, but not usable for us with this limitation!
Can you maybe tell us when/if the rate limits will change?
The limits will likely be adjusted once the service leaves public beta. I know they also stated they are working on a form/process to lift the limit for certain purposes. Itāll likely be an announcement in this forum once itās up.
If youāre issuing subdomains to customers, you may want to add the domain to the Public Suffix List. Aside from Letās Encrypt using it to determine what constitutes a ādomainā, it also helps browsers with security so that setups like yours donāt allow customers to spy on other subdomain cookies belonging to other peopleās sites.
1 Like
@motoko is incredibly polite and makes quite the understatement. I canāt emphasize enough just how dangerous it is to operate sub-domains underneath a common domain unless that domain is included in the Public Suffix List.
While TLS encryption and proper partitioning of domains are admittedly addressing somewhat different parts of overall web security, getting one of them wrong breaks most of the security of the other one. If @Lichtamberg sells his customers encrypted websites that share a common unlisted (!) domain, then he is mostly selling snake oil and gives a false sense of security.
Please donāt do this. It really isnāt doing your customers any favor. Security isnāt easy and requires constant vigilance; but at the very least, we should avoid known-bad configurations, especially if they are well-documented.
This is really that serious. Fortunately, it is also really easy to fix.
Thank you @gutschke - in our specific case this is not a major problem, since we are not just giving out domains, but each of them has web app of our service running (and our customers cant change content there and dont have direct server access). But I see your point and you are absolutely right, thanks for the hint - to my surprise I wasnāt aware of this.
Does the public suffix list help with the 5 in 7 days rate limit itself?
Or was this just a suggestion for the overall security? Thanks for your feedback!
I am not entirely clear on just how quickly either browser vendors or LetsEncrypt are going to pick up changes to the Public Suffix List. Common sense would suggest that there is likely a couple of months latency. But Iād love to be proven wrong.
As soon as the changes are picked up by browsers, security will improve, as customerA can no longer trivially steal login information of customerB.
And as soon as LetsEncrypt picks up the changes, it is my understanding that customerA.mydomain.com will be treated as if it was entirely distinct from customerB.mydomain.com. So, both of these domains would be subject to their own distinct 5/7 rate limiting. And unless you use something like serviceX.customerA.mydomain.com, serviceY.customerA.mydomain.com, ā¦ you would be unlikely to ever trigger the rate limit.
Of course, not having any domains in the Public Suffix List, I donāt have first-hand experience that would allow me to verify these statements. I am just going by public statements that have been made in the past.
If your goal is just be included in the PSL because of LE and you don't care about the other reasons, then my recommendation is wait for the override form.
Have you tried issuing multi-domain certificates, 50 customers to a certificate?
You mean, you give all your customers a copy of the private key (or the logical equivalent)? That doesnāt particularly instill me with confidence that the site provides anything other than security theater.
Web security is tricky enough as is. Please donāt intentionally break security ā¦ or suggest that others do so.
There are of course perfectly legitimate reasons for having certificates with multiple SAN entries. But hosting different trust domains under the same certificate is not usually one of these reasons.
1 Like
Depends if the customer has access to the private keys anyway.. Look at CloudFlare.. They have certificates with a HUGE number of different sites in their certificates.. Now, if someone is selling web space, but the client can't access more than their webroot, it shouldn't be a problem.
Ofcourse, you can't just hand out the cert and private key to every VPS customer.. But I don't see the reason why you can't have such a system if you handle all the webserver stuff..
Hello,
I have the error:
Too many certificates already issued forā¦
But in the last seven days, i haveānissued 5 certificates! There is a way to count the rate limit?
My first certificate was on 28/01/2016!
Thanks for your help.
You can see when there we certificates for your domain bay searching for your domain at https://crt.sh/
Ok, thanks i see too many certificates, probabily they was my attempts to generate the certificate.
I have revocked one of my certificate, how can I invividuate the valid one?
The domain is: mail.agostinelli.eu
But I havenāt the pem fileā¦
@magostinelli FYI, revoking a certificate will not free the slot for a new one. You have to wait for your rate-limit window to expire.
Apparently you do, because your site (RoundCube) is served with a valid Let's Encrypt certificate..
The certificate you show in the website itās revoked, itās not ok.
I dontāt know why I have only one certificate in /etc/letsencrypt (the revoked one), but on the crt.sh website there is 3 certificates!
I know that revoking itās not free the slot, but I havenāt the other certificate that result on the the website.
/etc/letsencrypt/live/ will only contain symlinks to the most recent cert for each domain. The actual cert along with all previous ones are in /etc/letsencrypt/archive/
Yes, in the archive directory I had the same folder then live folder. So, noe i Must wait 11th of February, and I have two certificates on the website that I donāt have on the server. I hope on 11th I will be able to get a new certificare without problem, also when i renew it, because there too many certificates with the same common name.
Hello,
I update my case, today 7 days has benn passed from the first certificate, but I receive the same error:
Error creating new cert :: Too many certificates already issued for:
These is a scheduled task (or similar) that run at certain time, so i must wait it runs?
My guess is you will need to wait a few more hours ā¦ you can check the time of day that your first certificate was issued at https://crt.sh/ If you created the first certificate at 4pm, then you will have to wait until after 4pm on the 7th day.