Raising Rate Limit


#1

Hello!

We are currently allowing users to create their own subdomains on our service, OwPanel.net, and secure them using LetsEncrypt. Today we hit a rate limit which has impacted our service negatively.

Is there anyone we can contact to raise the rate limit?

Error: urn:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new cert :: Too many certificates already issued for: owpanel.net

Thanks!


#2

Search the archives on this site for “public suffix”. It will bring up possible solutions.


#3

Hello @OwPanel-Samuel,

As @jvanasco suggested, if your domain is included in PSL (Public Suffix List) you won’t hit the rate limit for owpanel.net but you should never apply to be included in PSL if your only goal is to avoid the Let’s Encrypt rate limit, also, you should read carefully the implications for your domain.

Being included in PSL could take few weeks or months so… my advice, buy a wildcard ssl certificate for your domain, you have a few out there for less than 100$.

Good luck,
sahsanu


#4

I don’t think this is what we would be looking for.

@sahsanu - we can’t yet afford a wildcard SSL, though we are working towards it sometime within the next few months.


#5

@OwPanel-Samuel, then I’m afraid you are out of luck. I doubt you could raise the limit just for your domain but well, it should be better to ask @jsha whether this is possible or not.

Maybe you should allow your customers to use directories owpanel.net/xyz instead of subdomains xyz.owpanel.net, I know it is not funny but it is a solution if you still want to use Let’s Encrypt, maybe it is a complex task for you but you don’t have too much options… what is true is that you could issue next certificate in 7 days (Monday 2016-Jul-25 07:06:00 UTC) :cry:


#6

Is it possible to pay LetsEncrypt an amount to get this working? Like sponsoring to get benefits?


#7

Maybe, https://letsencrypt.org/become-a-sponsor/ but I think that should be cheaper to buy a Wildcard SSL Certificate :wink:


#8

Slightly out of our budget. :stuck_out_tongue:


#9

are you installing the ssl certificate on the remote minecraft servers or on your servers?


#10

We install the SSL certificates on our customers’ subdomains (which are websites, hosted by us).


#11

I’m afraid there’s no short-term solution to your problem. As @jvanasco and @sahsanu said, it does sound like your domain probably meets the criteria for a Public Suffix, since you give out subdomains to arbitrary third parties. However, you should be aware of the limitations - if you ask to be put on the Public Suffix List and get added, you won’t be able to set cookies on your base domain (owpanel.net). However, best practice is to not rely on cookies on any domain where you give out subdomains, so hopefully you are currently not relying on owpanel.net cookies.

Keep in mind the rate limit resets once a week, and you can always renew for a group of names you’ve already issued for. So as long as you gradually issue for new subdomains, you can increase to quite a large number of supported subdomains over time.

Also, you can combine up to 100 subdomains on a single certificate. So with a 20 certificate per week limit, you can handle up to 2000 new subdomains per week.


#12

We do rely on cookies. Also, we will look into the multi-domain functionality, since we weren’t using that already.


#13

Since they’re on your servers, you can put 100 domains on each certificate, and can generate 20 certificates per domain per week.

If you pre-generate “pool1.OwPanel.net” through “pool100.OwPanel.net”, “pool101.OwPanel.net” - “pool200.OwPanel.net”, then you can secure 2000 domains per week. Ratelimits will not apply to renewal, so you can have an additional 2000 next week, and the week after, etc.

Then you can assign each person a subdomain, instead of letting them choose a subdomain (or you can let them choose something, then redirect to an assigned one)


#14

Can I add/remove new domains to/from existing certs without bypassing the limit?


#15

Sorry, no. Each certificate counts, unless the list of names in it is an exact match for a prior one.


#16

This is quite a big issue for us now, since we can’t generate certificates when we hit the rate limit + we will never know how many we need and can’t dynamically add to a given certificate.

I suppose we’ll have to wait until we can get a wildcard certificate.


#17

We have now invested in a wildcard SSL that we had to get a deal on.


#18

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.