Rate limit not reset after 7 days


#1

I started using lets encrypt on 12th jan and not being aware of the rate limits ended up deleting my certificates and not being able to create new ones. On the rate limits page it states 5 certificates can be requested every 7 days. However it is now the 8th day since i first received the error and i am still getting it.

Any help would be appreciated thanks.

“There were too many requests of a given type :: Error creating new cert :: Too many certificates already issued”


#2

I don’t know how, but my rate-limit seems to be reset in just two days. I used test mode after rate limit reached and reached that (test mode) rate limit too. But both limit seems to be withdrawn…now…


#3

Just to double-check I would recommend looking for certificates issued for your domain via https://crt.sh/. Note that subdomains would count towards the rate limit of the parent domain too.


#4

Same here, it seems. I jumped in without RTFM and started issuing and deleting certificates. Based on the logs (https://crt.sh/?Identity=%allthatnet.com&iCAID=7395) and explanation on how certificates are counted, I do not believe I have exceeded the limit and the last certificate has localhost.localdomain in it, so basically invalid (it is not even Happy Hacker!).

A bit frustrating that I cannot revoke or otherwise remove existing certificates and start over.


#5

The rate limit is 5 certificates per domain per 7 days. crt.sh shows 5 certificates issued for allthatnet.com on 2016-01-19.

The purpose of this rate limit is to limit OCSP signing load. Unfortunately revoking or simply not using a certificate doesn’t have any effect on the signing load, which is why it doesn’t affect the rate limit.


#6

That’s a pretty serious error and BR violation if it happened; I can’t find said cert. (luckily!)

That said, checking CT, here’s the 5 certs you issued today:

# serial, names, notBefore
'01336f9634ba5c7cd578fcf3de68cd3292ee', 'allthatnet.com, www.allthatnet.com', '2016-01-19 02:30:00'
'0192ca079e04e4f475efd29a2b3c0e138ea7', 'allthatnet.com, www.allthatnet.com', '2016-01-19 02:34:00'
'0104805cdad3ffd9dd814b3112e7596d12db', 'allthatnet.com, www.allthatnet.com', '2016-01-19 02:35:00'
'0119965fbf1ce6c9dcd34b183f955d56125b', 'allthatnet.com, www.allthatnet.com', '2016-01-19 02:50:00'
'017cbf8f19d5508ab8ded3aad437132065cf', 'allthatnet.com, www.allthatnet.com', '2016-01-19 03:18:00'

As @pfg said, these match on the PSL+1 of allthatnet.com.


#7

OK, so it does not matter that it is the same domain name. 5 instances for the same name are just that. Some of those should have been self-signed certificates, I think, but I cannot prove it now.

As to the weird certificate, I hope I am not mistaken and my browser didn’t just cache it or I did something “off the cuff”:

openssl x509 -in /etc/letsencrypt/live/allthatnet.com/cert.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
01:7c:bf:8f:19:d5:50:8a:b8:de:d3:aa:d4:37:13:20:65:cf
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=Let’s Encrypt, CN=Let’s Encrypt Authority X1
Validity
Not Before: Jan 19 03:18:00 2016 GMT
Not After : Apr 18 03:18:00 2016 GMT
Subject: CN=allthatnet.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:ba:b4:16:23:25:c0:90:cd:68:30:74:49:b3:36:
07:72:1c:1b:a5:6c:c4:5f:c2:7b:18:fe:34:38:2f:
b5:ca:84:ae:77:4e:9e:df:30:31:50:38:9e:f4:2c:
bb:3f:09:16:36:a7:e8:d7:70:5b:fe:0c:ff:6c:95:
cf:0b:3d:98:a6:8e:c5:48:e0:be:80:0a:93:34:26:
3b:42:ea:95:f9:64:e9:ad:54:21:b2:74:55:18:ac:
e6:ca:00:f7:4f:6b:75:e5:27:4b:c3:13:71:3d:54:
bc:b3:89:d9:21:67:69:a7:12:ad:53:b4:88:00:12:
66:25:e8:91:1e:73:4d:dd:d4:0f:ec:6f:99:09:72:
c6:e7:52:89:e6:0c:2d:2c:95:d5:7d:86:fb:36:98:
75:78:57:84:18:06:16:69:ee:5c:0c:76:67:55:e5:
00:ef:8e:9f:d1:4a:fc:23:72:8b:65:b0:05:09:48:
fd:a7:97:18:f6:42:25:b7:47:52:de:d0:5c:ed:64:
d6:98:e3:7d:02:dd:36:5a:0e:ca:93:4f:18:dc:1a:
d8:38:77:2f:6f:6b:2c:d8:ca:64:33:09:eb:e5:c4:
e9:db:16:5d:44:95:06:c3:df:c4:16:07:ce:6f:5e:
8f:d0:6d:31:c0:bd:de:4a:d4:e2:8f:fa:46:be:b8:
fc:13
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
25:6C:7E:92:CF:90:53:CC:1C:6B:12:12:56:1F:2C:1C:3B:1F:B6:6C
X509v3 Authority Key Identifier:
keyid:A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1

        Authority Information Access: 
            OCSP - URI:http://ocsp.int-x1.letsencrypt.org/
            CA Issuers - URI:http://cert.int-x1.letsencrypt.org/

        X509v3 Subject Alternative Name: 
            DNS:allthatnet.com, DNS:www.allthatnet.com
        X509v3 Certificate Policies: 
            Policy: 2.23.140.1.2.1
            Policy: 1.3.6.1.4.1.44947.1.1.1
              CPS: http://cps.letsencrypt.org
              User Notice:
                Explicit Text: This Certificate may only be relied upon by Relying Parties and only in accordance with the Certificate Policy found at https://letsencrypt.org/repository/

Signature Algorithm: sha256WithRSAEncryption
     12:8e:9c:0b:23:f9:2e:c8:76:24:a0:16:f3:62:17:1d:a8:72:
     88:9b:38:ec:9a:13:8c:9a:f9:7a:03:e0:2b:d6:c0:53:d9:01:
     0c:39:c4:bd:81:ee:2d:71:5d:8b:a5:01:1e:ad:40:2c:62:31:
     6c:15:dd:d1:eb:26:9c:f4:03:46:f5:57:21:19:46:b5:83:08:
     93:2d:f1:c5:d2:d8:b5:2f:96:68:f1:01:64:4a:0d:d0:20:26:
     b5:e8:26:33:1c:24:fb:8d:15:19:6d:26:ae:44:bd:a8:4d:67:
     8d:c1:1c:12:58:b5:af:39:2f:b1:75:68:1b:a3:c4:20:52:b2:
     63:48:46:4a:15:07:40:0b:c5:44:69:9a:2b:78:55:d6:17:3d:
     19:0f:47:82:bd:2f:1e:f2:20:41:3f:2c:39:43:9b:6d:cb:b8:
     54:5f:fc:f2:89:9d:78:89:9d:cd:dc:3e:a1:58:fc:ae:9c:ab:
     48:b8:bd:87:5f:19:09:09:7c:fd:f1:74:b4:0d:7c:5e:eb:c8:
     5a:e9:68:a9:b1:dc:25:e0:e2:70:7d:88:6a:f8:1d:88:c6:48:
     ae:18:08:ad:42:30:9c:26:94:4a:51:35:97:05:8f:8b:9f:7e:
     5f:ec:68:fc:c4:ae:02:2a:c1:56:13:5a:e9:77:e3:d1:59:19:
     a7:5b:0d:54

The server config points to THAT certificate.

Anything else I can do to debug it?

EDIT: I thought maybe Symantec “helpfully” replaces the certificate in my browser or something, but when I test it with Qualys, I get the same message. It is a live certificate.

SOLVED: The web server is defaulting to another certificate due to configuration issue.

Sorry for high-jacking the wrong thread. :frowning:


#8

Just checked and it seems my certs are being recognised as being issued 24hrs after they actually were. Hopefully I should be able to request again tonight.


#9

All working now. Looks like the problem was my certificates were showing as issued 24hrs after they actually were.