Rate Limit Issue with cloudapp.azure.com

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
ukwest.cloudapp.azure.com

I ran this command:
New-ACMEOrder $state -Identifiers $identifier;

It produced this output:
Error creating new order :: too many certificates already issued for "ukwest.cloudapp.azure.com". Retry after 2024-04-29T14:00:00Z: see Rate Limits - Let's Encrypt

My web server is (include version):
azure

The operating system my web server runs on is (include version):
windows-2022

My hosting provider, if applicable, is:
azure

I can login to a root shell on my machine (yes or no, or I don't know):
I don't know

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Hi all,
We seem to be hitting our rate limit more often than usual over the last week (We never had this happened until last week). Nothing has changed on our end; commands, parameters, number of certs generated etc. Would anyone be able to provide any insights on this issue?

Thanks.

1 Like

Something has changed--you've issued five identical certs within the past week, and you're now trying to get another one. Use one of the existing certs. If they're gone, figure out what in your system is requesting, and then discarding, these certs.

5 Likes

@sbang19 Let's Encrypt is adding two new remote perspectives for domain validation, is these some geo blocking or filtering happening that is preventing some of the new perspectives from validating?

If he's gotten enough certificates since yesterday to hit the rate limit, it wouldn't seem so.

4 Likes

Good point @danb35, you are correct! :slight_smile:

2 Likes

I am a little puzzled by the error. Do you already have a rate limit exemption from Let's Encrypt? Your organization would have had to request it so you would know if you did.

You are getting a very large number of certs with the domain you gave. The error message is similar to the one for more than 50 certs per week for a single registered domain name. But, you got way more than that with that domain. And, that isn't a registered domain name which is also puzzling (nor is it on the Publix Suffix List).

Are you a service provider? Or are all these names used in your own organization? Any more info will help us understand.

See Rate Limits - Let's Encrypt for this info

The main limit is Certificates per Registered Domain (50 per week). A registered domain is, generally speaking, the part of the domain you purchased from your domain name registrar. ... We use the Public Suffix List to calculate the registered domain. Exceeding the Certificates Per Registered Domain limit is reported with the error message too many certificates already issued , possibly with additional details.

There are so many certs with that domain some of our normal tools timeout trying to list them. But here are just 5 subdomains you got a Let's Encrypt cert for just today (Apr25). I see about 20 similarly named certs from today and others for prior days. Could this new pattern of names be involved in this new error?

rome-pr7467.ukwest.cloudapp.azure.com
rome-pr7523.ukwest.cloudapp.azure.com
rome-pr7489.ukwest.cloudapp.azure.com
rome-pr7451.ukwest.cloudapp.azure.com
rome-pr7479.ukwest.cloudapp.azure.com

3 Likes

No, we're getting no exemption ourselves, we're just applying a Lets Encrypt cert to an Azure Application Gateway. We didn't know about how the rate limit was tied to the public suffix list when we started this as we saw this approach listed in a few places on the internet.

But in the last week we've seen the error complaining about hitting the rate limit on 'cloudapp.azure.com', so we maybe assumed LetsEncrypt handled Azure and other cloud service providers maybe differently and that could have changed recently. We only moved to ukwest region this week after hitting the rate limit issue in westeurope.

Basically we spin up preview environments for our application with each change and have be utilizing this approach for 2 years now.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.