Rate-limit override issue

Hi,
We should have a rate-limit-override of 16,000 certificates per week
Starting several hours ago - we're getting rate-limit issues

My domain is: ludevices.com

I ran this command:
certbot -d *.DOMAIN.ludevices.com -d *.DOMAIN2.ludevices.com --preferred-challenges=dns --csr $CSR_FULL_FILENAME, --manual --manual-auth-hook $AUTHENTICATOR_SCRIPT --manual-cleanup-hook $CLEAN_UP_SCRIPT --manual-public-ip-logging-ok --cert-path $signedCertificateFilename.ignore --fullchain-path $signedCertificateFilename certonly

It produced this output:
{
"type": "urn:ietf:params:acme:error:rateLimited",
"detail": "Error creating new order :: too many certificates already issued for "ludevices.com". Retry after 2024-10-01T13:00:00Z: see Rate Limits - Let's Encrypt",
"status": 429
}

The operating system my web server runs on is (include version):
Ubuntu 22

My hosting provider, if applicable, is:
AWS

I can login to a root shell on my machine (yes or no, or I don't know):
Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.21.0

1 Like

While we wait for the @lestaff to help you with your rate limit issue:

If you use the --csr option, there's no need to provide hostnames using the -d option, as Certbot will simply extract the hostnames from the CSR.

2 Likes

We're taking a look this morning. Thanks for your patience!

4 Likes

I reviewed the rate limit adjustments on your account and found that in June 2023, we increased your New Orders Per Account limit to 16,000 per week. I believe this is the override you’re referring to. However, the "rateLimited" response you mentioned is actually related to the Certificates Per Domain limit.

In March 2020, we increased your Certificates Per Domain limit to 8,000 per week, but in the past week, your account issued over 8,000 certificates. Based on this, it appears that our rate limits are functioning as expected.

4 Likes

That's actually lower than the current default rate limit of 16 800 new orders per week? (168 hours in a week, divided by 3, times the current 300 new orders per 3 hours = 16 800 new orders/week. Which is more than the 16 000 rate limit.)

1 Like

For what it's worth ...

I see just over 10,300 certs for that registered domain (in Censys) in the past week. So, I believe that means about 2,300 were renewals and the rest new.

I also see they got some ZeroSSL certs today so they look to be developing a backup plan. Which probably is good idea anyway :slight_smile:

3 Likes

Eh,
So in June 2023, the increase was of the wrong thing,... We intended to further increase the 8000 Certificates Per Domain - as we saw we're going to approach this limit - and here we are a year later actually reaching it in a noticeable way :sigh:

3 Likes

I'm unclear.
I thought certificate renewals don't count towards this limit.
How many new certs are you issuing per day/week?

1 Like

Apparently an internal issue caused us to get to the limit without an alert
We'll need to fix our side of the rate-limiting
For now the current limit should be OK, and as mentioned - ZeroSSL indeed seems like a good possibility as well
Thanks!

4 Likes