Rate limit issue for large domain

We’re running several websites on an AWS instance running Amazon’s Linux distro. Amazon’s Linux is not well supported by certbot, but there are instructions that I’m following at: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/SSL-on-an-instance.html#letsencrypt

I ran the following sudo ./certbot-auto --debug

I am getting the following error after trying to generate a cert for one on our sites - get.wa.gov

Error: urn:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new cert :: too many certificates already issued for: wa.gov

I’ve been googling and reading lots of docs, in particular about rate limits. As far as I can tell we’re running into the certificates per registered domain limit of 20 per week. There are a number of other state agencies in the .wa.gov domain that are already using Let’s Encypt and Washington is very decentralized, so it’s not feasible to track down all of the different administrators at all of the different state agencies that are using LE. It looks like we’re just too late to the party and are basically screwed and can’t use LE due to the large number of requests, but I’m posting to see if anyone has any suggestions. Thanks.

You need to contact someone responsible for the wa.gov domain as a whole. Ask them to read about the Public Suffix List, understand its purpose, and consider whether it would make sense for wa.gov to be submitted to this list. If so, they should submit it for inclusion; if not, they should instead read this and submit the form linked from there to apply for an exception to the rate limit. I believe this has been granted in the past to some organisations such as universities whose domains are managed in a similarly decentralised manner.

Note that only someone responsible for the overall wa.gov domain can perform either of these actions.

You can also try to find a gap when it is possible to request a certificate (lectl can help with this). One you have a certificate you can renew it in the future without worrying about the 20 certificates per week rate limit. Although I’d consider that to be a temporary workaround at best.

I’ll check in with the people who oversee the .wa.gov domain. Thanks for the help.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.