Rate limit policies and "too many certificates already issued" in Boulder

ryanesch · April 2, 2020, 11:23pm

I am running tests on Boulder, and I ran into a problem I see many places in this forum:

Error creating new order :: too many certificates already issued

I reviewed the information at Rate Limits - Let's Encrypt and I am trying to match this up with the definitions set in rate-limit-policies.yml. For example:

The main limit is Certificates per Registered Domain (50 per week). A registered domain is, generally speaking, the part of the domain you purchased from your domain name registrar. For instance, in the name www.example.com , the registered domain is example.com . In new.blog.example.co.uk , the registered domain is example.co.uk . We use the Public Suffix List to calculate the registered domain. Exceeding the Certificates Per Registered Domain limit is reported with the error message too many certificates already issued , possibly with additional details.

Which value does this correspond to in the yml file? I don't see a "50" anywhere. My bottom line question is: is there a value in rate-limit-policies.yml I can increase to get around this error?

_az · April 2, 2020, 11:32pm

The defaults that come out of the box in Boulder are pretty low. They don’t correspond to what you find on the Let’s Encrypt rate limiting page (i.e. the 50 you are looking for is actually 2).

Have a look at test/rate-limit-policies.yml.

You will want to whitelist your test domains in that file, or dramatically increase the threshold for each rate limit.

ryanesch · April 2, 2020, 11:54pm

Thanks for the quick response! That makes sense. Is this how I whitelist?

certificatesPerName:
  window: 2160h
  threshold: 50
  overrides:
    example.com: 10000

_az · April 2, 2020, 11:57pm

Yes, looks good.

Also mind that 2160h is 90 days, rather than the 7 days that Let’s Encrypt uses.

But at 10,000 certificates, it doesn’t really matter.

If you haven’t already seen, Pebble (https://github.com/letsencrypt/pebble) is a better ACME server to use for testing purposes - it’s a lot less complicated to run.

system · May 2, 2020, 11:57pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Too many certificates already issued for exact set of domains Help	9	870	December 12, 2019
New rate limit meaning Issuance Policy	6	2814	September 5, 2017
Limit on Renewals? Issuance Policy	19	7793	March 31, 2016
Letsencrypt Error: rateLimited :: There were too many requests of a given type :: Error creating new cert :: Too many certificates already issued for: example.com? Issuance Tech	8	9516	April 22, 2019
PSL - too many certificates for registered domain Issuance Policy	5	1924	August 18, 2017

Rate limit policies and "too many certificates already issued" in Boulder

Related topics