Rate Limits when adding domains?

fjen · December 21, 2015, 5:52am

I'm quite confused on how rate limiting works when you are adding domains to an existing certificate?

Let's say I have issued a certificate today 4 domains

example.com
www.example.com
abc.example.com
def.example.com

Now, if I were to add two more domains next week:

123.example.com
456.example.com

how would rate limiting apply? When adding a domain to a certificate, aren't you essentially revoking and reissuing the previous 4 domains, then doing a certificate with 6 domains? Since the rate limit is only 5 certs/domain/week, I don't know how this will turn out.

serverco · December 21, 2015, 8:46am

Edited to reflect the discussion below

If you had a single certificate ( for example.com, www.example.com, abc.example.com, def.example.com) then that is one certificate

and if you then get a new certificate for all 6 ( example.com, www.example.com, abc.example.com, def.example.com, 123,example.com, 456.example.com) then that is a second certificate.

So you will have used 2 certificates ( of the 5 certs /domain/week).

If you got 4 separate certificates the first time, and then you requested 2 new separate certificates the second time (each just for the single subdomain). then you would have tried to get 6 certificates, and hit the rate limit.

Do you know what you want in advance though ? if so, it’s relatively easy to create a single certificate for all your subdomains ( up to 100).

revoking a certificate does not remove it from the rate limit. The rate limit is still 5 certs/domain/week.

Osiris · December 21, 2015, 9:57am

No, he won't. He would still only have two issued certificates, way below the limit of 5 per domain per week.

serverco · December 21, 2015, 9:59am

I guess it comes down to the reading of the question.

If that is 2 single certificates, I agree with you, you don’t hit the rate limit.

If that were 4 separate certificates … and then asking for 2 more separate ones, it will be over the limit.

Osiris · December 21, 2015, 10:03am

Well, he said: “(…) I have issued a certificate (…)”, so I’m going with that

serverco · December 21, 2015, 10:05am

“a” implies singular, I agree

frazzledjazz · December 22, 2015, 8:14pm

this is a weird one noting the limitations given.
IE no wildcards.
www. is optional these days but breaks certs.

can point to all subdomains, which most hosts allow(for free) but this isnt implemented(and should be)
as far as I know v3 multi-site requests pop a 500 error if correctly implemented according to ssl spec for SANs(alternate names). I know because Ive tried.

Kromey · December 22, 2015, 10:55pm

www doesn’t break certificates if you have gotten one that covers www; if you haven’t, then you shouldn’t be answering requests for www over HTTPS at all, and if you are but you didn’t get that cert then, frankly, that’s your fault.

It’s easy enough to cover it though:
./letsencrypt certonly --domains example.com,www.example.com

Now you have a cert that works just fine for both www and non-www, no breakage and no wildcard required.

fjen · December 23, 2015, 1:34am

Is the a distinction between doing -d example.com, www.example.com and -d example.com -d www.example.com?

I noticed on your reply that you used the first syntax. However, for all my issues, I’ve been using the second syntax. Which is the correct one to generate one certificate for multiple domains?

sahsanu · December 23, 2015, 5:30am

Hello @fjen,

From the help file:

  -d DOMAIN, --domains DOMAIN, --domain DOMAIN
                        Domain names to apply. For multiple domains you can
                        use multiple -d flags or enter a comma separated list
                        of domains as a parameter. (default: [])

So you can use both, no matter if you use:
-d example.com -d www.example.com

or (I don't know whether it is allowed but just in case, don't write spaces after the comma)
-d example.com,www.example.com

Cheers,
sahsanu