Rate limits not working as expected

Hello,

For the last couple of months I have been creating new certificates for subdomains of safeticket.dk.

I have created them at around 20 certificates per week, hitting the rate limit occasionally.

Now the first of those certificates have started to be renewed with 30 days left before expiration.

The renewals work fine but new certificates are failing, with a rate limit error:

acme-client: transfer buffer: [{ "type": "urn:acme:error:rateLimited", "detail": "Error creating new cert :: too many certificates already issued for: safeticket.dk", "status": 429 }] (157 bytes)

From the page about rate limiting, I get the impression that new certificates should not be prevented due to renewals.

Note that the Renewal Exemption also means you can gradually increase the number of certificates available to your subdomains. You can issue 20 certificates in week 1, 20 more certificates in week 2, and so on, while not interfering with renewals of existing certificates.

If however this is the case, this basically limits the total number of certificates per registered domain to around 170 if renewal happens every 60 days.

https://crt.sh/?q=%25.safeticket.dk

All the dev.safeticket.dk certificates are renewals.

I know I can work around this by putting more names in each certificate but I'd rather prefer to have one certificate for each subdomain as it keeps the whole setup much simpler.

I hope someone can shed some light on this. From my point of view, either the rate limiting has a bug or the documentation is wrong.

Thanks.

/Christian

Hi @xi_bw,

It is not a bug but the documentation should clarify that a renewal count as a new certificate for the limit of 20 new certs per 7 days. In this case, you should plan carefully the new certs and issue them before any renewal, so you could create 20 new certs per 7 days and still be able to renew your certificates even when limit of 20 certs per 7 days has been reached.

@jsha, could you please be so kind and take a look to the rate-limits doc to clarify this situation?.

Cheers,
sahsanu

This issue has come up in a number of previous threads. I believe the documentation is already correct on this point, yet people often find it hard to understand because the behavior is counterintuitive.

What I think should happen and will probably happen is a change to the rate limit calculation method, rather than a change to the documentation. However, maybe we should add a single prominent warning about the current behavior like

THE ORDER OF RENEWALS AND NEW ISSUANCES MATTERS; TO GET THE MAXIMUM POSSIBLE NUMBER OF CERTIFICATES, YOU MUST PERFORM ALL NEW CERTIFICATE ISSUANCES BEFORE ANY RENEWALS.

I have a PR adding that, thanks for the suggestion: https://github.com/letsencrypt/website/pull/162

The documentation update is now live.

It’s not quite as shouty as my suggestion, but I hope people will notice it and better understand how to work within the current policies.