Rate limits don't seem to pay attention to revocations


Greetings. I want to create a cert with multiple DNs instead of the multiple certs that I issues with different sub-domains. I tried to generate such a cert, but got the “Too many certificates already issued for:” error. So I revoked one of the certificates under that DN and tried again, but still got the “Too many certificates already issued for:” error. Thus, it appears that the rate limit doesn’t pay attention to revocation, which is quite a pain. Any help here would be appreciated, given that now I have a revoked cert for a domain I care about.


Well, in the FAQ there’s a link to the Quick Start Guide and in the “Rate Limiting” section there isn’t any mentioning of the influence of revocation on the rate limit. Therefore, I don’t really understand why you assume as much?

You’ll have to wait. How much depends on the issuence of the first of 5 certificates.


That is correct. Even if the certificate is expired, LE still has to sign the OCSP response indicating such every four days until the certificate’s original expiration. The rate limits are intended to lower the number of different certificates they have to handle.


@motoko but why? revocation is a one time thing, and it should be irrelevant WHEN it was revoked, the point is THAT it was revoked and for that one signature that should just be stored should be enough. I also talked with @tlussnig about this and he has the same opinion.


Based on my understanding of the Baseline Requirements, the OCSP status has to be updated at least every four days until normal expiration of the certificate. That means that the revocation status has to be re-signed on that schedule. The expiration of that OCSP signature is 10 days, also a hard requirement. See section 4.9.10.


I can’t even find this part in the requirements, although it would make sense… No need to revoke an expired certificate, one would say… But where it’s said in the requirements? I dunno…


4.10.1: “Revocation entries on a CRL or OCSP Response MUST NOT be removed until after the Expiry Date of the revoked Certificate”

I guess they could continue to sign responses for expired certificates, but it doesn’t seem to be required.


Indeed it suggests it’s allowed after the expire date, thanks for the info :slightly_smiling:


There might be a requirement elsewhere that clients must/should not check the OCSP status of expired certificates.