RateLimit Reached

Hello,

I have a question. I reached my rateLimit like 1 week ago and I tried some day ago to secure some websites. Its still not working and it says: RateLimit reached. Is there any chance to see how long I need to wait until I can secure new websites via plesk?

Also, thanks Lets encrypt to make this for free :smiley:

Hi @Lyvondria,

There are several rate limits described at

https://letsencrypt.org/docs/rate-limits/

If you search on https://crt.sh/ you can see which certificates have been issued (assuming you’re reaching the certificates per registered domain limit and not some other rate limit).

There is also a script

that can calculate for you (based on the crt.sh data) when the rate limit will be cleared.

Okey, I can see my last Certifacated was on 2017-05-17. So my next try can be on 2017-05-22? Its the 2017-05-22 but I cant do it right now. I thought its 5 days and not 7 days. Every monday it will reset, right?

It depends on which rate limit you hit. However, both the certificates per registered domain and duplicate certificate limits are calculated on the basis of a 7-day period (and not reset on Mondays). So you would have to wait 7 days (168 hours) past the issuance of the oldest certificate that factors into the rate limit calculation. (This is the “sliding window” method mentioned on that page.)

Ah okey. My domain is: wintex-sports.de can you check it for me real quick and tell me when I can try it next?

You can figure it out for yourself by searching on https://crt.sh/, finding the 20th certificate there, and adding 168 hours to its issuance (notBefore) time.

I did this and (if I counted them correctly) the certificates per registered domain rate limit will allow you to issue one certificate starting at Mon May 22 21:54:00 UTC, which is about two hours from now. However, you will have to wait longer to issue more than one certificate, because of the sliding window.

It looks to me like all of these certificates relate to different parts of your own web site, run and managed by your own organization. A better way to avoid the rate limits in this case might be to issue one large SAN certificate that covers all of the wintex-sports.de subdomains that you’ll need. This counts as only one single certificate for all rate limit purposes and can cover up to 100 different subdomains.

Even if the web servers for these subdomains are running on different physical machines, you might be able to do this either via the 301 redirect to an authentication server method (described in many different forum threads) or using the DNS-01 challenge type (where you update DNS records via an API instead of having the certificate authority connect directly to your server for validation). You would then have to copy the certificate, intermediate certificate, and private key onto all of the servers that need to use them.

A better way to avoid the rate limits in this case might be to issue one large SAN certificate that covers all of the wintex-sports.de subdomains that you’ll need. This counts as only one single certificate for all rate limit purposes and can cover up to 100 different subdomains.

Okey thanks. And how can I do this? Im using Plesk to manage my domains. If I create a sub-domain, I have to click on “Lets Encrypt” and then on “Install” on every sub-domain I create. How can I do what you told me? o:

Oh, I didn’t realize you were using Plesk. I’m not very familiar with it. If these are several separate servers, Plesk might not be the best management option for getting Let’s Encrypt certificates for you because it may make it harder to combine certificates to avoid running into the rate limits.

Hm okey, np. Is there any chance to remove the RateLimit from my Domain? I didnt know there was a limit and I tried something and now some sub-domains dont have SSL on it :confused:

Sorry, there’s no way to do that. The CA developers have literally not built any tools or interfaces to do so.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.