Rate Limits Reloading Server


#1

Hi guys. I am having trouble I had to reload our main server and while doing so we sent to many request hitting the rate limit. Can I please have an increase if not temporary. My site is currently offline because of our SSL dependency. Thank you hope all is well. Please and Thank you thank you!

Justin Cichowski
Chattank LLC


#2

There’s no way to reset the rate limit, but depending on which rate limit you hit, you may be able to circumvent it. What was the exact error message you got?


#3

The message says wait 5-7 days. Rate Limit. It also says to request a limit increase contact letsencrypt.org which I did via email. They said to direct the questions here. Thanks for you hlep.


#4

There isn’t a rate limit that lasts 5-7 days, but there is a limit of 5 duplicate certificates per 7 days. Is that what you ran into?

If so, you can circumvent it by requesting a new certificate for a different set of domains. For example, if the cert you’re having trouble with is for example.com, you could request one for example.com and www.example.com. Or if it’s for example.com and www.example.com, you could add another subdomain e.g. extra.example.com and then request a single cert covering all three.

There is also a limit of 50 certificates per registered domain per week, which cannot be circumvented in this manner. If you hit that one, you’ll just have to wait it out (or if you need a cert urgently, get one from another CA).


#5

Perfect this is exactly what I was looking for . Thank you!

I ran into another issue. In attempt to secure MSSQL the requirements include my FQDN match the Subject of my certificate. My current FQDN is “chattank.com”. The problem is when the certificate is generated using multiple domains the generated certificate’s Subject is using “www.chattank.com” and not what we need “chattank.com” and is creating a mismatch for MSSQL not allowing the certificate to load. I am very reluctant to reload the server again only to add the “www.” to our FQDN. I hope there is a way. Below is the command I am using to generate the certificate.

le64 --export-pfx “xxxxxxxxxxx” --tag-pfx “mssqlssl” -key /nginx/conf/account.key -csr /nginx/conf/chattank.csr -csr-key /nginx/conf/chattank.key -crt /nginx/conf/chattank.crt -domains “chattank.com,www.chattank.com,ads.chattank.com,www.ads.chattank.com” -path c:/nginx/html/.well-known/acme-challenge -generate-missing -issue-code 100 -renew 70 -live

Thank you so much.

Justin


#6

Do you really need to use the same cert for mssql as everything else? Could you issue a separate cert just for chattank.com alone and use that for mssql?

For that matter, does it even need to be a publicly trusted Let’s Encrypt cert? If you control the client that connects to it, you may be able to configure it to trust a predefined self-signed cert.


#7

Yes, keeping the same certificate will be much more effecient for us. No, we have pretty strict guidelines we must obide. A self-signed cert is not an option. I was hoping for a way to specify the Subject line. Thank you for the quick response John!


#8

Sorry, I have no idea how to do that with le64, or if it’s even possible.


#9

That is NOT what was being recommended:

Which simply means running LE64 twice:
Once for all other sites and once more for MSSQL
Like:

le64 --export-pfx “xxxxxxxxxxx” --tag-pfx “mssqlssl” -key /nginx/conf/account.key -csr /nginx/conf/chattank.csr -csr-key /nginx/conf/chattank.key -crt /nginx/conf/chattank.crt -domains “chattank.com” -path c:/nginx/html/.well-known/acme-challenge -generate-missing -issue-code 100 -renew 70 -live

le64 --export-pfx “xxxxxxxxxxx” --tag-pfx “allothers” -key /nginx/conf/account.key -csr /nginx/conf/allothers.csr -csr-key /nginx/conf/allothers.key -crt /nginx/conf/allothers.crt -domains “chattank.com,www.chattank.com,ads.chattank.com,www.ads.chattank.com” -path c:/nginx/html/.well-known/acme-challenge -generate-missing -issue-code 100 -renew 70 -live


#10

Yes. What you describe sounds like the one. It’s been a pleasure. I will report back with my results. Thanks again you for your time and consideration.


#11

This ultimately worked. Side note . MSSQL needs the entire FQDN. Example. chattank.com is the domain. The syntax required for MSSQL certificates looks like: example.chattank.com where example is the name of the computer. Thanks again!


#12

Technically speaking, MSSQL the service doesn’t care about the Subject name on the cert matching the computer name. Only the GUI that you use to select the cert cares about it. You can have it use any old cert by ultimately doing what the GUI does under the hood (which if I recall correctly is just setting a cert thumbprint in a particular registry key). And if you’re already automating the cert generation, I’d suggest automating the cert install as well?


#13

A lot of misinformation gets passed around the web… This is why I have trouble sometimes fishing through bad info. What you mentioned with the registry I came across and attempted several times and does not work. Caps no caps. Simply doesn’t work that way. Refer to my last post it is what works. Thanks.


#14

Lol… misinformation is the wrong term… I don’t think the bad info was intentional! =) back to grammarly.


#15

It’s somewhat off topic for here to try and help debug this particular problem. But I can assure you it does work as recently as MSSQL 2016 on Windows Server 2016. When I did it, it wasn’t with an LE cert, but with a cert from an internal CA for a SQL AAG cluster. The Subject name on the cert was the cluster’s AAG name and it contained SAN entries for the cluster name in addition to each node’s FQDN and IP. Configuring the cert with the GUI was impossible, but configuring it via the registry worked just fine and clients connecting via TLS to the AAG name were happy.


closed #16

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.