Rate limited domain

mcdado 2016-05-01 16:18:03 UTC #1

I did setup a cron job for renewing the certificate of my Plesk page on a VPS on OVH, and the domain I get to use is vps{****}.ovh.net.

Once in a while I'm getting the {"type":"urn:acme:error:rateLimited","detail":"Error creating new cert :: Too many certificates already issued for: ovh.net","status":429} error.

I know from several discussions here that domains are limited to a certain amount of renews a day. I'd like to set the cron job at the best time possible.

What time zone is used to define a day? And precisely how many certificates can be issued in a day for each domain?

This way I could be assured to be among the first ones to renew. I already moved away from the first day of the month to the middle of the month to increase my chances to get renewed.

Svavar_Kjarrval 2016-05-01 16:44:56 UTC #2

There is no specific timezone as each ratelimit is on a sliding window. It's essentially counting how many certificates have been issued for your specific domain in the last X nychthemerons (X * 24 hours) and rejects the request if the number is at or above the limit.

mcdado 2016-05-01 22:13:22 UTC #3

Thanks for your answer!
I guess I'll just set the cron job to run on a less busy day to renew… using this tool to query for my domain, I found that mostly everyone renews at the end or at the beginning of the month.

DarkSteve 2016-05-02 03:18:53 UTC #4

I don't think that's quite how it works.

Renewals don't actually count against your rate limit, which is 20 certificates per week. From what other people have said in this forum, I think it's an issue with the Plesk plugin, where it basically creates new certs instead of renewing existing ones. There was a previous poster who's newly created Plesk certs ended in "001", which is how Let's Encrypt deals with new certs for existing domains.

Your error message is complaining that there's an "error creating new cert" because there's been "too many certificates already issued" for the domain. Is there an update for the Plesk plugin? Hopefully that will cure your ills

DarkSteve 2016-05-02 03:30:04 UTC #5

Ah, here you go:
* 20 certificates per registered domain per week (up from 5).
* Added an exception to this limit for renewing certificates (issuing a new certificate with same names as a previous one).
* Added a new limit on issuing certificates with the exact same set of names: 5 certificates per FQDN set per week.

Note that if you have a domain with more than 20 
subdomains, the exception we added for renewing certificates allows you 
to gradually increase the number of certificates you can issue over the 
course of multiple weeks.

The limits don't apply to renewals, so I really think it's an issue with the Plesk plugin! Since creating certs for domains with the exact same FQDN is limited to five per week, I'm guessing you hit that limit. I'll hazard a guess that you're set to renew daily? And it took about 5 days to get this error?

jvanasco 2016-05-02 04:19:35 UTC #6

You're experiencing this problem because vps{****}.ovh.net is a subdomain on a major hosting company ovh.net. You're competing for a ratelimit against all the official uses that ovh has AND all their other users.

The best way to solve this would be opening up a ticket with OVH. they're a platinum sponsor of LetsEncrypt and should be better able to either get their domain whitelisted OR figure out a better way.

If your control panel's address doesn't change, you should just register with ONLY that address on the certificate and keep renewing. once that issues, the only ratelimit you should encounter is one on ips.

Is there any chance your cron is trying to create a new cert and not renew? that is more likely to raise issues like this.

DarkSteve 2016-05-02 06:37:11 UTC #7

But that's only for new certs, not renewals. He shouldn't be hitting any limits when trying to renew.

His error message makes it sound that way. I genuinely think it's an issue with the Plesk plugin.

mcdado 2016-05-02 16:55:22 UTC #8

Hello everyone! So, yes I'm using the official Plesk plugin for Let's Encrypt. My cron job is scheduled to run once a month.

Yes, it is correct that I'm competing against OVH itself and all users with a service (dedicated server, VPS, whatever…) that is reachable as a subdomain of ovh.net, that's why my original question was how to trick the process by using the start of the day, but as it was mentioned it's a rolling window, so for now I'll just run it on a less busy day than the 1st of each month.

It's very likely that the issue is caused by the fact that the plugin is requesting new certs instead of renewing them. I'll open an Issue on GitHub for the plugin repo so that this problem can be solved properly.

Edit: see the issue

DarkSteve 2016-05-03 00:08:14 UTC #9

Good work, mcdado

system 2016-06-02 00:08:15 UTC #10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.