Rate Limit Question -- Possible Spoofer?

Last week I believe I tried twice to renew my cert, the 2nd attempt got an error when trying to install it.
Today my cert expired and I attempted to renew again, but got a "rate limit error" - which looked like for a week time period.
Checked the URL listed and I'm allowed 50 attempts per week. I do a manual certonly type request, so it seems unlikely that my site actually did 50 requests in the last week.
Is there any way to check what ip addresses are making the requests? I have only 3 public IP addresses and only 2 of those could make a legitimate request. Is it possible to specify what IP addresses are allowed to make a certificate request? E.G. define a TXT record in DNS that specifies who is allowed to make a request -- something akin to an SPF record?



One day it will be possible to do this with an CAA record that limits certificates to your Let's Encrypt Account ID, but not yet.

Did you check what certificates have been issued on https://crt.sh? That might give a clue.

Your Certbot (or whatever client) logs might give you a hint as well.


Hi @ramoncuriel, and welcome to the LE community forum :slight_smile:

I like the idea of such an added level of control. :heart:

But speaking directly about your situation:
Have you checked to see how many certs have been issued for that domain recently?
[you can use: https://crt.sh/]

1 Like

The rate limits you're probably hitting only triggers when someone successfully gets a certificate, e.g someone has control over your server. What you describe sounds like you're hitting the 5 duplicate certificates limit.

Other limits are per-account, which also implies access to your server. So usually it's quite difficult for an attacker to do something that would rate-limit you.


That would also be a welcome added level of control :heart:

But this request is specifically for IP address(es):

Is that something that has even been discussed?

1 Like

Hmmm. Didn't know about crt.sh, so that is good information. IIRC, I issued only 2 requests on Aug 9th, but I see 4 certs issued that day, 4 on the 10th and 2 on the 11th.
Ack. Looking at logs now and looks like auto renewal is running. Guess I need to turn that off...

1 Like

You are probably seeing double!
Try it this way:
[with the added: &deduplicate=Y]


As @rg305 has alluded, you are seeing pairs of precertificates and leaf certificates. You can see these labels on crt.sh at the top of each certificate's page.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.