I built a course where I have every student request a Let's Encrypt certificate for a subdomain of ops345.ca. For example if I were a student I would request a certificate for asmith15.ops345.ca
Here's the lab the students are following: OPS345 Lab 5 - Littlesvr Wiki
All that worked for almost a year, but this semester my students are getting an error saying: too many certificates already issued for "ops345.ca". Retry after 2022-11-06T01:00:00Z. see Rate Limits - Let's Encrypt
On that page it says there's a limit of 50 certificates per domain. I guess that means the ops345.ca domain, even though the certificates are being requested separately for each userXYZ.ops345.ca
The problem is we have hundreds of students and the lab was due yesterday. Also subsequent labs rely on this lab having been completed.
I can mess up the course schedule for this semester, but I'd like to know whether I should look for alternatives to using let's encrypt, because frankly this sucks, it does not help me deliver my course, and it doesn't help my students learn. In fact I'm not sure who is supposed to be benefiting from this policy in our case.
Does anyone have suggestions for how to deal with this now and in the future?
Thanks in advance.
Hello @AndrewSmith, welcome to the Let's Encrypt community.
I would like to share that testing and debugging are best done using the Staging Environment as the Rate Limits are much higher. Rate Limits are per week (rolling).
So if your students could use the Staging Environment to start with until that have their system working that would be helpful.
However you may still run in to the Rate Limits so well ask the @lestaff for additional help and advise.
Thanks for the suggestion, but if I'm reading it right: there isn't any useful (for me) difference between certificates from the Let's Encrypt staging environment and self-signed certificates?
I'm new to this forum, how do I ask @lestaff?
Hello @AndrewSmith addressing them like we did notifies them, so you've asked.
So waiting with patience, they have a backlog on handling just "Rate limits"; and they have so much more to do as well.
Also there are other ACME v2 CAs that also offer Free Certificates
Another thing to possible do is use https://smallstep.com/ 's Build a Tiny Certificate Authority For Your Homelab
This is intended for certificate to be used on an internal network, not the Internet at large.
Yes you are correct. However from Rate Limits - Let's Encrypt
For instance, in the name
www.example.com , the registered domain is
example.com . In
new.blog.example.co.uk , the registered domain is
example.co.uk . We use the Public Suffix List to calculate the registered domain. Exceeding the Certificates Per Registered Domain limit is reported with the error message
too many certificates already issued , possibly with additional details.
So using the Public Suffix List maybe able to assist, but I defer to the Let's Encrypt Staff as offering the best solution for you and your students.
That's correct, the parent domain name can "only" have 50 certs per week issued.
Question: can users of your domain host their own code on their own subdomain? If so, for security reasons you should put your domain name on the public suffix list. A side-effect of that (NOTE: a side-effect and not the main reason) is that by having your domain on the PSL is that the LE rate limits get counted by the first level subdomain instead of the apex domain name.
The students have full control of their subdomain so yes, they can host their own code.
Can you please explain why that's a security issue? I was not aware of one, I'd like to deal with that.
Mostly cookie security, but you can learn more about the list and what browsers do with it here: Learn more about the Public Suffix List
Please see the Overrides section of our Rate Limits documentation: Rate Limits - Let's Encrypt
Your use case is one where we would likely grant a rate limit adjustment.
As others mentioned, getting on the Public Suffix List could be another good approach and would also help solve some security problems with shared domains. However, the PSL team is even more overburdened with requests, and PSL updates take some extra time to make it to us at Let's Encrypt.
Thanks @JamesLE - I submited the form. Hopefully it will get approved so that I don't have to rebuild this part of the course for next semester. I'll suck it up this semester.
I'm also looking at adding ops345.ca to the Public Suffix List.
How much does a
.ca domain cost?
You could easily use one unique domain for each semester.
[You wouldn't even have to renew them - just the one-time charge.]
It's neither easy nor cheap. One domain registration costs about 20$ (out of my own pocket), and given over 200 students that would be cost me 80$ per semester (240$ a year) in perpetuity. That's not counting many hours of work I'd have to put in to alter the software to work with multiple domains. Or the many hours I'd have to spend dealing with confused studetns who are trying to use the wrong domain for their section/semester.
Can you use a (free) dynamic dns service that is already on the PSL list? E.g. https://www.noip.com
Try browsing the existing PSL list and there may be a domain/vendor you can easily use.
There are all sorts of things I can do to avoid this problem, including not using Let's Encrypt at all. I don't think this page is right place to discuss how or what I should teach my students.
Does that imply there is some other free CA that you can use (without such rate limiting issues)?
[or am I just reading what wasn't written between the lines]
I must have missed where anyone directed you on either of those two things.
But I do agree with you with that thinking.
ZeroSSL doesn't have rate limits on their ACME service, I believe. Might be an option while you set things in motion regarding the LE rate limits.
EAB might be an issue tho indeed, although you can easily get one using an API call I think. Edit: Hm, but that API call requires an account key..
You are free to make your own choices. LE is one choice. We only want to secure the internet one site at a time... If you choose to use LE, this forum is here to help those who appreciate and need it.
It is also possible to request a key from their web interface. This should make it easier.
You should always generate the private key on your own computer. Unless you've audited all the client side source code and you're absolutely know the key is generated in the browser and never leaves it. But you'd have to re-audit the website every time again (unless you'd hash the audited source code and just check the hashes).