Rate limit reached but we are not issuing new certificates

Hi there, we are running into the rate-limit, but I’m not sure why because we are not issuing 50 certs per week.

My domain is getro.com and here you can see the list of certificates issued for our registered domain.

There are renewals triggered automatically multiple times a day by Heroku (our server provider) not by us.

However, these are renewals, not issued certificates.

Since we don’t issue more than 50 certificates per week, I’m wondering why we are running into the rate limit.

We use https://github.com/unixcharles/acme-client to generate orders with the following line of code:

acme_client.new_order(identifiers: domains)

Can anyone help us figure out the situation?

Thank you

What’s the rate limit message? You don’t look rate limited to me right now.

Thank you for your response @_az. This is the error we get:

Error creating new order :: too many certificates already issued for: getro.com: see https://letsencrypt.org/docs/rate-limits/

Why do you think we are seeing this error message?

Do you know if there a way to see what are the 50 certs that we issued last week?

Thank you for your help here.

How recently did you get that message?

When I responded an hour ago (and also just now), I was able to create a new order for your domain without any problems.

According to Let’s Debug there are only 41 certs counting towards the rate limit currently: https://letsdebug.net/getro.com/211230?debug=y

Strange.

Interesting, we tried just a few hours ago but this is great news!

Also, I didn’t know about https://letsdebug.net/ but that service is amazing @Osiris .

What I don’t understand is why api.sandbox2.getro.com shows up multiple times.

Are the same domains counted multiple times? I thought renewals did not count.

How could we fix this?

Thank you again @_az and @Osiris!

All those certificates have different lists of hostnames. Renewals don't count against the "certs per domain per week" limit, but do count against the "5 duplicates per week" limit: if you by accident issue 5 times the same "renewal", it doesn't matter if it's a renewal or not, you'll be rate limited for those set of hostnames.

I'm not sure if Let's Debug handles the "RateLimit" section that intelligently. Perhaps it just lists the certificates issued in the last 7 days without filtering renewals. I just don't know.

Yes, it doesn’t account for the renewal exemption. The reason for this is that it would have to query certificates back to the start of time, not just in the last 7 days. Too expensive to calculate (in many cases) unless you’ve got direct access to the Let’s Encrypt database, or an enormous server. I am mooching off crt.sh which is kindly provided as a free service by Sectigo and did not want to abuse the privilege. I left a note about this on https://tools.letsdebug.net/cert-search?m=domain&q=getro.com&d=168 but not in the main letsdebug.net app.

This is so helpful. With this info we are able to solve the issue. Thank you both @_az and @Osiris!