rateLimited and revocation


#1

I have revoked successfully a certificate but now I am not able to create a new due to rateLimited policy as I am receiving following error:

Error: rateLimited :: There were too many requests of a given type :: Error creating new cert :: Too many certificates already issued for: mydomain.tld

  1. How can I check with rate limit I have reached?
  2. When a revocation occur, would you be able to increase the limit to be able to re-issue revoked certificates?
  3. by the way, I am trying to re-issue a subdomain.mydomain.tld certificate but the error on the limit is on mydomain.tld : can I conclude we are limited if we want to issue more than 10 (I guess it is the current limit) certificates ?

#2

Hi, the rateLimit is an system wide parameter currently. It is not for an specific fqdn.
And this was already discussed in this forum.


#3

there are multiple parameters in the rate limit, a global one, an IP based one, an account one, and as it seels, a domain based one as well…

also revokation does not get back your limits as the limits are made so the OCSP isnt overoaded…


#4

Multiple parameters in the rate limit so it should be better to display the reason for getting the rateLimited error.

After a revoke, a fair use to let to re-issue a revoked certificate would be very useful to avoid unsecured sites as it is one goal of Letsencrypt.


#5

well the ratelimit (especially the global one) rather cones their ability to sign OCSPs so revoked certs count to that as well as long as they live.


#6

I ran into this one as well while trying to automate things. It is currently not clear to me when i would be able to re-request my certificates.
I also had issues with the revocation process.


#7

I have the same issue. I use a custom client to get the certificates. I hit the rate limit of certificates issued for tld although 9 out of the 10 issued have been revoked? Do I really need to wait for 60 days before I could get another cert? Is there a workaround? Can somebody help me get around the rate limit as my hosting provider(Google App Engine) doesn’t support 4096 bit RSA keys. It is fair to put rate limits to avoid abuse but this has become a limiting factor as the 60 day window simply makes the service unusable. 24hrs sliding window may be more appropriate.


#8

Maybe this is something that should be worked into the documentation?

Any client (mode) that doesn’t automatically configure services for TLS should suggest using the test CA first, and only switch to the production CA once the configuration has been completed and verified by the user. Depending on the final rate limits when Let’s Encrypt hits GA, one could run into them quite quickly during initial setup where you’d often operate in trial-and-error mode (well, me at least ;-)).