Rate limited IP when trying to mass enable

Hi

We migrated 1500 websites to a new server

Let’s encrypt only allows a handful per hour and I think I read a maximum of 50 per week.

We filled out the google doc to request an exception however I don’t know when we will hear back about this request, has anyone got any experience with this process? If so how long is it typically for the turnaround to get this approved so we can mass enable let’s encrypt for our clients websites!

1 Like

@jple can give you info about rate limit updates.

Can you share the exact message you’re getting from your ACME client, and what type of issuance you’re doing? I.e. is it lots of unrelated domains, or many subdomains on a single domain?

There’s more documentation of how our rate limits work here: https://letsencrypt.org/docs/rate-limits/

3 Likes

Is there a reason you chose not to move the existing certs with the sites to the new server? That would’ve prevented the need to get new ones for all of them simultaneously.

2 Likes

Hi

We are providing shared hosting, it’s lots of separate websites.

The error is: One of the Let’s Encrypt rate limits has been exceeded fordomain*

Refers me to https://letsencrypt.org/docs/rate-limits/

it’ll say this on all domains on the server even if this domain hasn’t tried to generate a SSL for a few days.

IIS won’t allow us to export the letsencrypt SSLs only the paid ones. Previously we used solidcp.com control panel and i’m not sure how exactly this generated the SSLs but it doesn’t allow private key to export.

1 Like

So you are using Plesk.

Plesk uses 1 Let’s Encrypt registration per Plesk user.

I suspect the rate limit you are hitting is this one:

You can create a maximum of 10 Accounts per IP Address per 3 hours

So if you have 100 Plesk users, it would take a total of 30 hours (10 users per 3 hours) to register Let’s Encrypt accounts for each user on the server.

1 Like

Yes we are using plesk but with 573 users and 2040 domains. (including the domains already using SSL ie RapidSSL)

What we tried to do was export a list of domains then run on command line to install a SSL from letsencrypt which started failing quite quickly hence why we submitted a request to have this rate limit increased.

here is the exact error:

Invalid response from https://acme-v02.api.letsencrypt.org/acme/new-acct.

Details:

Type: urn:ietf:params:acme:error:rateLimited

Status: 429

Detail: Error creating new account :: too many registrations for this IP: see https://letsencrypt.org/docs/rate-limits/

Your rate limit increase may not be granted:

It takes a few weeks to process requests, so this form is not suitable if you just need to reset a rate limit faster than it resets on its own.

If you want to fix the problem immediately, you might need to manually issue the missing certificates using non-Plesk tools, and then gradually replace them with Plesk-issued certificates as the account registration limit permits (~7 days for all your 573 users).

You could also ask Plesk support whether it’s possible to somehow issue the certificates from a single Let’s Encrypt account.

1 Like

If you get desperate, there are ways to bypass that cert store flag that prevents export of those certs. Mimikatz is probably the most well known tool that can help. But it’s also flagged as a hacking tool by many AV solutions. Here’s a thread with some options.

Personally, I would use 1 LetsEncrypt account to issue all the certificates and then migrate them to individual accounts over the next few days.

You could also funnel traffic through proxy-servers to hit the LetsEncrypt API from a pool of IP addresses, which should bypass this ratelimit.

2 Likes

These are all great suggestions - I’ve also e-mailed OP to let them know about the status of their rate limit adjustment.

Thanks, amazing community members, for your continued help! :slight_smile:

1 Like

There would be an option to move the accounts from the old hosting to the new one, if available. No need to create new accounts, no chance to hit rate-limit.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.