We’ve run into an issue with our LetsEncrypt rate-limit and cannot pinpoint the cause.
We are nowhere near the limit of 20 certificates per domain per 7 days.
The logs on https://crt.sh/ confirm this, since most (15+) of the certificate request shown there in the past 7 days are simply renewals.
Something strange however: Ever since 2018-04-09, these requests seem to happen in pairs. Nothing on our end changed regarding the certificate requests. Could this have anything to do with google forcing certificant transparency? And could this be the cause for us hitting our rate limit so unexpectantly ?
I ran this command:
/usr/share/git/acme.sh/acme.sh --server https://acme-v01.api.letsencrypt.org/directory --home /root/.acme.sh -d {domain_that_wants_a_cert} -w {/public} --issue --force
It produced this output:
[Mon Jun 4 14:09:52 CEST 2018] Sign failed: “detail”:“Error creating new cert :: too many certificates already issued for: lwprod.nl: see https://letsencrypt.org/docs/rate-limits/”
The operating system my web server runs on is (include version):
CentOS 7.4.1708
My hosting provider, if applicable, is:
TransIP
I can login to a root shell on my machine
I’m not using a control panel to manage my site.
Unfortunately, renewals still count. Issuing renewal certificates can prevent you from issuing new certificates, but you can continue to issue renewal certificates after reaching that rate limit.
There are plans to improve this, but it hasn't been possible yet.
To get the maximum possible number of certificates, you must perform all new issuances before renewals during a given time window.
Yes. Two certificates are (sort of) issued: A "precertificate", which has a poison extension that prevents it from working, and the final certificate, which contains two SCTs. Let's Encrypt currently automatically logs them both.
crt.sh's search pages show them both, but the certificate pages distinguish them. For example:
The description of this on the Rate Limits page is:
Renewals are still subject to the Duplicate Certificate limit. Also note: the order of renewals and new issuances matters. To get the maximum possible number of certificates, you must perform all new issuances before renewals during a given time window.