Rate-limit issue

We’ve run into an issue with our LetsEncrypt rate-limit and cannot pinpoint the cause.
We are nowhere near the limit of 20 certificates per domain per 7 days.
The logs on https://crt.sh/ confirm this, since most (15+) of the certificate request shown there in the past 7 days are simply renewals.

Something strange however: Ever since 2018-04-09, these requests seem to happen in pairs. Nothing on our end changed regarding the certificate requests. Could this have anything to do with google forcing certificant transparency? And could this be the cause for us hitting our rate limit so unexpectantly ?

I ran this command:
/usr/share/git/acme.sh/acme.sh --server https://acme-v01.api.letsencrypt.org/directory --home /root/.acme.sh -d {domain_that_wants_a_cert} -w {/public} --issue --force

It produced this output:
[Mon Jun 4 14:09:52 CEST 2018] Sign failed: “detail”:“Error creating new cert :: too many certificates already issued for: lwprod.nl: see https://letsencrypt.org/docs/rate-limits/

The operating system my web server runs on is (include version):
CentOS 7.4.1708

My hosting provider, if applicable, is:
TransIP

I can login to a root shell on my machine
I’m not using a control panel to manage my site.

Unfortunately, renewals still count. Issuing renewal certificates can prevent you from issuing new certificates, but you can continue to issue renewal certificates after reaching that rate limit.

There are plans to improve this, but it hasn't been possible yet. :slightly_frowning_face:

To get the maximum possible number of certificates, you must perform all new issuances before renewals during a given time window.

Yes. Two certificates are (sort of) issued: A "precertificate", which has a poison extension that prevents it from working, and the final certificate, which contains two SCTs. Let's Encrypt currently automatically logs them both.

crt.sh's search pages show them both, but the certificate pages distinguish them. For example:

One says "Precertificate" at the top and has the poison extension, and one says "Leaf certificate" at the top and has two SCTs.

It's not an issue. When calculating the rate limits, Let's Encrypt doesn't double count.

The description of this on the Rate Limits page is:

Renewals are still subject to the Duplicate Certificate limit. Also note: the order of renewals and new issuances matters. To get the maximum possible number of certificates, you must perform all new issuances before renewals during a given time window.

Thank you for clarifying the issue!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.