Rate limit reached but we are not issuing new certificates

Hi there, we are running into the rate-limit, but I’m not sure why because we are not issuing 50 certs per week.

My domain is getro.com and here you can see the list of certificates issued for our registered domain.

There are renewals triggered automatically multiple times a day by Heroku (our server provider) not by us.

However, these are renewals, not issued certificates.

Since we don’t issue more than 50 certificates per week, I’m wondering why we are running into the rate limit.

We use https://github.com/unixcharles/acme-client to generate orders with the following line of code:

acme_client.new_order(identifiers: domains)

Can anyone help us figure out the situation?

Thank you

1 Like

What’s the rate limit message? You don’t look rate limited to me right now.

3 Likes

Thank you for your response @_az. This is the error we get:

Error creating new order :: too many certificates already issued for: getro.com: see https://letsencrypt.org/docs/rate-limits/

Why do you think we are seeing this error message?

Do you know if there a way to see what are the 50 certs that we issued last week?

Thank you for your help here.

1 Like

How recently did you get that message?

When I responded an hour ago (and also just now), I was able to create a new order for your domain without any problems.

2 Likes

According to Let’s Debug there are only 41 certs counting towards the rate limit currently: https://letsdebug.net/getro.com/211230?debug=y

Strange.

2 Likes

Interesting, we tried just a few hours ago but this is great news!

Also, I didn’t know about https://letsdebug.net/ but that service is amazing @Osiris .

What I don’t understand is why api.sandbox2.getro.com shows up multiple times.

Are the same domains counted multiple times? I thought renewals did not count.

How could we fix this?

Thank you again @_az and @Osiris!

1 Like

All those certificates have different lists of hostnames. Renewals don't count against the "certs per domain per week" limit, but do count against the "5 duplicates per week" limit: if you by accident issue 5 times the same "renewal", it doesn't matter if it's a renewal or not, you'll be rate limited for those set of hostnames.

I'm not sure if Let's Debug handles the "RateLimit" section that intelligently. Perhaps it just lists the certificates issued in the last 7 days without filtering renewals. I just don't know.

3 Likes

Yes, it doesn’t account for the renewal exemption. The reason for this is that it would have to query certificates back to the start of time, not just in the last 7 days. Too expensive to calculate (in many cases) unless you’ve got direct access to the Let’s Encrypt database, or an enormous server. I am mooching off crt.sh which is kindly provided as a free service by Sectigo and did not want to abuse the privilege. I left a note about this on https://tools.letsdebug.net/cert-search?m=domain&q=getro.com&d=168 but not in the main letsdebug.net app.

4 Likes

This is so helpful. With this info we are able to solve the issue. Thank you both @_az and @Osiris!

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.