Rate limit policies and "too many certificates already issued" in Boulder

Help
1

I am running tests on Boulder, and I ran into a problem I see many places in this forum:

Error creating new order :: too many certificates already issued

I reviewed the information at Rate Limits - Let's Encrypt and I am trying to match this up with the definitions set in rate-limit-policies.yml. For example:

The main limit is Certificates per Registered Domain (50 per week). A registered domain is, generally speaking, the part of the domain you purchased from your domain name registrar. For instance, in the name www.example.com , the registered domain is example.com . In new.blog.example.co.uk , the registered domain is example.co.uk . We use the Public Suffix List to calculate the registered domain. Exceeding the Certificates Per Registered Domain limit is reported with the error message too many certificates already issued , possibly with additional details.

Which value does this correspond to in the yml file? I don't see a "50" anywhere. My bottom line question is: is there a value in rate-limit-policies.yml I can increase to get around this error?

2

The defaults that come out of the box in Boulder are pretty low. They don’t correspond to what you find on the Let’s Encrypt rate limiting page (i.e. the 50 you are looking for is actually 2).

Have a look at test/rate-limit-policies.yml.

You will want to whitelist your test domains in that file, or dramatically increase the threshold for each rate limit.

2 Likes
3

Thanks for the quick response! That makes sense. Is this how I whitelist?

certificatesPerName:
  window: 2160h
  threshold: 50
  overrides:
    example.com: 10000
4

Yes, looks good.

Also mind that 2160h is 90 days, rather than the 7 days that Let’s Encrypt uses.

But at 10,000 certificates, it doesn’t really matter.

If you haven’t already seen, Pebble (https://github.com/letsencrypt/pebble) is a better ACME server to use for testing purposes - it’s a lot less complicated to run.

1 Like
5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.