My domain is: gdghanoiadmin.io.vn
I ran this command: sudo certbot --apache
It produced this output: Error creating new order :: too many certificates already issued for "io.vn". Retry after 2023-06-18T02:00:00Z: see Rate Limits - Let's Encrypt
My web server is (include version): ubuntu 18.04
The operating system my web server runs on is (include version): ubuntu 18.04
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know):
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of
certbot --version or
certbot-auto --version if you're using Certbot):
This error is because
io.vn is a root domain shared by many. By default, there are only 50 certs for any registered domain name in a week. The link in the error message explains more details
The owner of
io.vn could apply for an increase. See below page
Your options are to get a dedicated domain name. Or, just retry the request and hope you get one of the 50. This is not the best because the certs only last 90 days so you must hope to get one frequently. You could also get a cert from a different (free) Certificate Authority
And, here is just a small sample of the certs for this domain to show how often it is used
io.vn is sharing subdomains with a lot of different users, the owner should request
io.vn being added to the public suffix list for security reasons (mainly cookie stuff, but also others I believe). As a side effect, this would also make issuing certs by LE more easy.
Nevermind, it's already on the PSL, maybe just recently and Boulder needs an update.
Good point about PSL. Yes, looks like io.vn was added just 4 days ago on Jun13
So, just need to wait for Let's Encrypt Boulder update (or use different CA in the meantime)
Found that PR too
I believe Boulder currently has an automated something in pace to semi-automatically update the Go package used for the PSL. However, it still depends on releases of that specific third party Go package, which might not be automated.
So OP just needs to wait or try frequently and get lucky. Or indeed use e.g. ZeroSSL or ssl.com.
So I have no other way to get a certificate for my domain?
Once Let's Encrypt Boulder is updated with latest PSL updates you should be fine.
In the meantime ...
Below is list of several ACME capable CA's
Hm, looking at Actions · letsencrypt/boulder · GitHub the PSL hasn't been updated for more than half a year already. At least not using that Github Action..
I see Dependabot nowadays takes care of the PSL, at least back in March: build(deps): Bump github.com/weppos/publicsuffix-go from 0.20.1-0.20221209102050-40d9c30084b3 to 0.30.0 by dependabot[bot] · Pull Request #6708 · letsencrypt/boulder · GitHub
io.vn domain is already present in the current Go package which Boulder is using: PSL auto-update by github-actions[bot] · Pull Request #921 · weppos/publicsuffix-go · GitHub (3 days ago).
However, I'm not sure the
weppos/publicsuffix-go package is "releasing" frequently. I believe previously the package was imported using either commits or dates or something, not with git tags? Does Dependabot even work for the PSL updates?
I'd ask @lestaff, but Discourse says "[I] cannot mention group @lestaff", so tagging @jsha instead, sorry about that, not sure who to tag for Boulder related development questions
I have been seeing similar inquiries in the Cloudflare Community for three new
vn public SLDs. They began shortly before the PSL update and now it appears to be waiting for everything else to pick it up.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.