Rate Limits when adding domains?

I'm quite confused on how rate limiting works when you are adding domains to an existing certificate?

Let's say I have issued a certificate today 4 domains


Now, if I were to add two more domains next week:


how would rate limiting apply? When adding a domain to a certificate, aren't you essentially revoking and reissuing the previous 4 domains, then doing a certificate with 6 domains? Since the rate limit is only 5 certs/domain/week, I don't know how this will turn out.

Edited to reflect the discussion below :wink:

If you had a single certificate ( for example.com, www.example.com, abc.example.com, def.example.com) then that is one certificate

and if you then get a new certificate for all 6 ( example.com, www.example.com, abc.example.com, def.example.com, 123,example.com, 456.example.com) then that is a second certificate.

So you will have used 2 certificates ( of the 5 certs /domain/week).

If you got 4 separate certificates the first time, and then you requested 2 new separate certificates the second time (each just for the single subdomain). then you would have tried to get 6 certificates, and hit the rate limit.

Do you know what you want in advance though ? if so, it’s relatively easy to create a single certificate for all your subdomains ( up to 100).

revoking a certificate does not remove it from the rate limit. The rate limit is still 5 certs/domain/week.

1 Like

No, he won't. He would still only have two issued certificates, way below the limit of 5 per domain per week.

I guess it comes down to the reading of the question.

If that is 2 single certificates, I agree with you, you don’t hit the rate limit.

If that were 4 separate certificates … and then asking for 2 more separate ones, it will be over the limit.

Well, he said: “(…) I have issued a certificate (…)”, so I’m going with that :neutral_face:

“a” implies singular, I agree :slight_smile:

this is a weird one noting the limitations given.
IE no wildcards.
www. is optional these days but breaks certs.

  • can point to all subdomains, which most hosts allow(for free) but this isnt implemented(and should be)
    as far as I know v3 multi-site requests pop a 500 error if correctly implemented according to ssl spec for SANs(alternate names). I know because Ive tried.

www doesn’t break certificates if you have gotten one that covers www; if you haven’t, then you shouldn’t be answering requests for www over HTTPS at all, and if you are but you didn’t get that cert then, frankly, that’s your fault.

It’s easy enough to cover it though:
./letsencrypt certonly --domains example.com,www.example.com

Now you have a cert that works just fine for both www and non-www, no breakage and no wildcard required.

Is the a distinction between doing -d example.com, www.example.com and -d example.com -d www.example.com?

I noticed on your reply that you used the first syntax. However, for all my issues, I’ve been using the second syntax. Which is the correct one to generate one certificate for multiple domains?

Hello @fjen,

From the help file:

  -d DOMAIN, --domains DOMAIN, --domain DOMAIN
                        Domain names to apply. For multiple domains you can
                        use multiple -d flags or enter a comma separated list
                        of domains as a parameter. (default: [])

So you can use both, no matter if you use:
-d example.com -d www.example.com

or (I don't know whether it is allowed but just in case, don't write spaces after the comma)
-d example.com,www.example.com