Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
urn:ietf:params:acme:error:rateLimited :: Error creating new order :: too many certificates already issued for: a465-9q4k.cloudera.site: see Rate Limits - Let's Encrypt
My web server is (include version):
The operating system my web server runs on is (include version):
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know):
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): We are using golang lego lib.
We want to request a certificate for domain: *.dw-vslaadobetest.a465-9q4k.cloudera.site
And we got a response about "acme: error: 429 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rateLimited :: Error creating new order :: too many certificates already issued for: a465-9q4k.cloudera.site: see Rate Limits - Let's Encrypt,
Our problem is that based on the logs on our side, we didn't request that many certificate and we checked crt.sh and it says the same.
So based on all of our information we didn't hit the limit.
Can you help us figuring out how many cert did we request? When can we request new certificate? How can we going forward?
I think you are getting the:
"The main limit is Certificates per Registered Domain (50 per week). "
described here:
I received errors from crt.sh trying to lookup cloudera.site. I once got an error from crt.sh even with a465-9q4k.cloudera.site but one succeeded and it showed very many subdomain names of that were issued recently.
You will need to take this up with cloudera people. They may need to request an exception to this rate limit from Lets Encrypt since they are a shared system.
It's quite hard to determine this, because your site has so many certificates issued, crt.sh and similar sites have trouble showing all of the certs..
I think what is happening here is that you're reaching the 50 certificates per domain per week limit. The domain cloudera.site is currently listed in the public suffix list as *.cloudera.site, which means any subdomain of cloudera.site is viewed as if it was a public suffix. However, before 1 september 2021 it was listed just as cloudera.site, i.e., without the wildcard!
So until this change is live in production, all subdomains of cloudera.site will be limited by the 50 certs per week per domain rate limit. When this update is actually live, this rate limit will be shifted towards sub-subdomains. I.e., you can have 50 certs per week for foo.cloudera.site and also 50 certs per week for bar.cloudera.site. I think Boulder updates go live once every two weeks? Not sure about that tho.. In any case, the update is already processed, so the only thing you can do now is wait..
Nice catch on the dates of the PSL updates, @Osiris .
I had checked and only saw the *.cloudera.site entry there, which made me wonder if *.*.cloudera.site was somehow not covered. The dates of inclusion you found are more likely the culprit.
Thank you for the detailed explanation and fast help, I really appreciate it, and totally makes sense.
Do you know by any chance if I can track somewhere when it goes live? Or do you know who/where can I ask about Boulder release state?
I was really confused when I saw this test gave the correct output.. But the playground obviously uses a recent version of the publicsuffix library. And unfortunately I can't use github.com/weppos/publicsuffix-go/publicsuffix@b19572c4b3c21f315a45ce50d6f15a83d4b2ed12 (the older commit before the change) in Go Playground..
You could "poll" (i.e.: regularly visit) https://acme-v02.api.letsencrypt.org/build which gives the build date/time and git commit of the currently live Boulder. You can also check the history at https://letsencrypt.status.io/ which includes Boulder release updates. (Seems to be weekly by the way, looking at the dates of the releases..)
Yeah as @Osiris mentioned, we might need more than 50 cert / sub-sub domain. But first let's see how many certs we request / sub-sub domain and we will request if needs.
Note that it may take multiple weeks before your rate limit exception request will be processed. It's a manual process and can take a long time, as Let's Encrypt employees don't always have the time for it.
Is that mean we can have 50 subdomain (like appletree.cloudera.site) cert request a week and 50 cert request per subdomain per week (like lemontree1.appletree.cloudera.site, or lemontree2.appletree.cludera.site)?
That sounds very limiting.
I would think that the leading "*." would be implied and just ignored in the rate limit implementation; and treated more like an "ends with".
Time to dig through the code...
