Rate-limit exceeded may be an ERROR

Hi, I am a contabo.com VPS customer. I am facing the rate limit issue discussed in another thread: Contaboserver.net - too many certificates

However, the rate-limit error may be a bug.

My VPS has a domain of the form abcd.contaboserver.net. As recommended by your rate-limit page ( https://letsencrypt.org/docs/rate-limits/ ) I visited https://crt.sh/ to determine how many certificates had been recently issued for the contaboserver.net domain. The answer was NONE (ever).

I suspected this answer was wrong and checked with and without leading “dot”. Same result.

Then I checked contabo.com and did find a number of certificates (none after July first). I also found several certificates for contabo.de (again none after July first). However I continue to find zero certificates for contaboserver.net .

Then why on earth am I (and the previous user) getting the “too many certificates” error?

This appears to be a bug. If so, please, fix (whoever is concerned).

On crt.sh, you need to use “%” as a wildcard and search for “%contaboserver.net” (which would include other domains like xyzcontaboserver.net) or “%.contaboserver.net” (which would exclude the root contaboserver.net name).

There are a lot of certificates.

https://crt.sh/?q=%contaboserver.net

1 Like

Thank you. I missed the instruction about using the %…I suspected something was funny, but then it seemed to work for the other contabo domains and I stopped looking…
Anyway, it makes sense that there be many contaboserver certificates because their business strategy seems oriented to “high volume” via relatively low prices. Perhaps they would be a good candidate for a rate increase, since they probably get new customers at a much faster rate than many others…the certificate rate limit should depend on the “market share” or “popularity” of the provider, somehow…otherwise it is bound to be too low for some and too high for others.

Using a cert from “xyz.ISP.net” makes no sense to me.
Unless no one ever really sees it.
As an Internet surfing customer, that would look like either domain spoofing/impersonation or if I know of the ISP domain would not trust a random user of that ISP based solely on their use of a rented system.

@mnordhoff another thing I wonder is whether the certificates listed as issued by “CPanel” ‘count’ for the purpose of rate limit. It seems that in our case all recent certificates are credited to either CPanel or Let’s Encrypt. My guess is that only those listed as Let’s Encrypt certificates count for rate limit purpose, but who knows.

If you can afford a VPS, you may also be able to get your own domain name. The rate limit for *.contaboserver.net would then not apply to your certificate.

That hardly makes any sense to me but I don't much think like the average person.
I'm thinking "How/Why would LE check out side its' own issuing system to find if a limit has been exceeded?"
Per: Rate Limits - Let's Encrypt (Last updated: August 09, 2017)
It doesn't not state clearly that they only count the transactions they process.
But I think if it were otherwise it would have to be made clear in that document.
As with any legal document or contract, you can't assume, expect, nor include what isn't included.
So, even though it may seem obvious to some, it is clearly not included to all.

I know this. I don’t want to get into specifics, but I have my reasons to ask what I am asking. Obviously many contabo users do find it useful to get a certificate under their default server name, as sown by the list of issued certificates (otherwise there would be no problem with rate limit)…I guess it depends on what the server is used for.
The important thing is that the rate limit be appropriate for the domain in question, given their “market share”. That is fair. Else, their users are put at an unfair disadvantage.

Let’s Encrypt rate limits are about Let’s Encrypt’s own issuance of certificates, not anyone else’s. They don’t consider any other certificate authority’s issuance, nor limit any other certificate authority’s issuance.

A hosting provider can request a rate limit exemption for its domain when subdomains are used directly by the provider’s customers. Many of these exemptions have been granted in the past. The provider has to choose to go through this process, and, since there’s a backlog, it may take a while. Let’s Encrypt doesn’t have any dedicated to proactively researching rate limit exemptions that “should” exist, unless domain operators ask for these exemptions.

Thanks. I hope the provider in question will go through the process of requesting a rate increase. I do believe you have good information to determine (yourself) when the limit is “too low”…basically if the rate-limit keeps triggering for a given domain that is a pretty good indicator that the limit is too low for that domain…it it happens just occasionally then the limit might be alright…But I agree that the affected party should take the initiative in bringing the case to the attention of the appropriate department.

I see this like reviewing a gallon of milk and seeing a label on it that says “WARNING: This product may contain milk”.
But different people see things differently… and some actually do require that WARNING label.

But we don't know the underlying reason why, and in particular we don't know whether this is a single organization or organizational unit that simply has a large number of servers, or a shared domain.

For example, if humongouscorp.com tried to get certificates for webserver1.humongouscorp.com, webserver2.humongouscorp.com, and so on up through webserver7777.humongouscorp.com, that would trigger the rate limit just as much as when the Brazilian state government domains hadn't been added to the public suffix list, so that different cities in the same state in Brazil that tried to get certificates for their city web sites were treated as all being part of a single organization such as "sp.gov.br". In the former case, we don't really want to grant a rate limit exemption because we want to encourage the sysadmins within the organization to consolidate their certificate requests into a smaller number of larger certificates. In the latter case, we did want to grant an exemption because in fact all of the Brazilian municipalities are separate organizations and entities that just happen to share a portion of their domain name for legal and geographic reasons (and that even have separate hosting and system administration!). There's no way that I know of to distinguish these cases automatically.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.