Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
urn:ietf:params:acme:error:rateLimited :: Error creating new order :: too many certificates already issued for: a465-9q4k.cloudera.site: see Rate Limits - Let's Encrypt
My web server is (include version):
The operating system my web server runs on is (include version):
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know):
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): We are using golang lego lib.
We want to request a certificate for domain: *.dw-vslaadobetest.a465-9q4k.cloudera.site
And we got a response about "acme: error: 429 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rateLimited :: Error creating new order :: too many certificates already issued for: a465-9q4k.cloudera.site: see Rate Limits - Let's Encrypt,
Our problem is that based on the logs on our side, we didn't request that many certificate and we checked crt.sh and it says the same.
So based on all of our information we didn't hit the limit.
Can you help us figuring out how many cert did we request? When can we request new certificate? How can we going forward?
I think you are getting the:
"The main limit is Certificates per Registered Domain (50 per week). "
I received errors from crt.sh trying to lookup cloudera.site. I once got an error from crt.sh even with a465-9q4k.cloudera.site but one succeeded and it showed very many subdomain names of that were issued recently.
You will need to take this up with cloudera people. They may need to request an exception to this rate limit from Lets Encrypt since they are a shared system.
It's quite hard to determine this, because your site has so many certificates issued, crt.sh and similar sites have trouble showing all of the certs..
I think what is happening here is that you're reaching the 50 certificates per domain per week limit. The domain cloudera.site is currently listed in the public suffix list as *.cloudera.site, which means any subdomain of cloudera.site is viewed as if it was a public suffix. However, before 1 september 2021 it was listed just as cloudera.site, i.e., without the wildcard!
So until this change is live in production, all subdomains of cloudera.site will be limited by the 50 certs per week per domain rate limit. When this update is actually live, this rate limit will be shifted towards sub-subdomains. I.e., you can have 50 certs per week for foo.cloudera.site and also 50 certs per week for bar.cloudera.site. I think Boulder updates go live once every two weeks? Not sure about that tho.. In any case, the update is already processed, so the only thing you can do now is wait..
Thank you for the detailed explanation and fast help, I really appreciate it, and totally makes sense.
Do you know by any chance if I can track somewhere when it goes live? Or do you know who/where can I ask about Boulder release state?
I also saw that initially and thought: hmm, does Boulder even process those wildcards in a proper way? So I made a little test The Go Playground
I was really confused when I saw this test gave the correct output.. But the playground obviously uses a recent version of the publicsuffix library. And unfortunately I can't use github.com/weppos/publicsuffix-go/publicsuffix@b19572c4b3c21f315a45ce50d6f15a83d4b2ed12 (the older commit before the change) in Go Playground..
Note that it may take multiple weeks before your rate limit exception request will be processed. It's a manual process and can take a long time, as Let's Encrypt employees don't always have the time for it.
Is that mean we can have 50 subdomain (like appletree.cloudera.site) cert request a week and 50 cert request per subdomain per week (like lemontree1.appletree.cloudera.site, or lemontree2.appletree.cludera.site)?