Register cert for new domain

My domain is: gdghanoiadmin.io.vn

I ran this command: sudo certbot --apache

It produced this output: Error creating new order :: too many certificates already issued for "io.vn". Retry after 2023-06-18T02:00:00Z: see Rate Limits - Let's Encrypt

My web server is (include version): ubuntu 18.04

The operating system my web server runs on is (include version): ubuntu 18.04

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Welcome @namlxcntt

This error is because io.vn is a root domain shared by many. By default, there are only 50 certs for any registered domain name in a week. The link in the error message explains more details

The owner of io.vn could apply for an increase. See below page

Your options are to get a dedicated domain name. Or, just retry the request and hope you get one of the 50. This is not the best because the certs only last 90 days so you must hope to get one frequently. You could also get a cert from a different (free) Certificate Authority

And, here is just a small sample of the certs for this domain to show how often it is used

4 Likes

If io.vn is sharing subdomains with a lot of different users, the owner should request io.vn being added to the public suffix list for security reasons (mainly cookie stuff, but also others I believe). As a side effect, this would also make issuing certs by LE more easy.

Nevermind, it's already on the PSL, maybe just recently and Boulder needs an update.

5 Likes

Good point about PSL. Yes, looks like io.vn was added just 4 days ago on Jun13

So, just need to wait for Let's Encrypt Boulder update (or use different CA in the meantime)

5 Likes

Found that PR too :grin:

I believe Boulder currently has an automated something in pace to semi-automatically update the Go package used for the PSL. However, it still depends on releases of that specific third party Go package, which might not be automated.

So OP just needs to wait or try frequently and get lucky. Or indeed use e.g. ZeroSSL or ssl.com.

4 Likes

So I have no other way to get a certificate for my domain?

Once Let's Encrypt Boulder is updated with latest PSL updates you should be fine.

In the meantime ...

Below is list of several ACME capable CA's

5 Likes

Hm, looking at Actions · letsencrypt/boulder · GitHub the PSL hasn't been updated for more than half a year already. At least not using that Github Action.. :roll_eyes:

I see Dependabot nowadays takes care of the PSL, at least back in March: build(deps): Bump github.com/weppos/publicsuffix-go from 0.20.1-0.20221209102050-40d9c30084b3 to 0.30.0 by dependabot[bot] · Pull Request #6708 · letsencrypt/boulder · GitHub

Meanwhile the io.vn domain is already present in the current Go package which Boulder is using: PSL auto-update by github-actions[bot] · Pull Request #921 · weppos/publicsuffix-go · GitHub (3 days ago).

However, I'm not sure the weppos/publicsuffix-go package is "releasing" frequently. I believe previously the package was imported using either commits or dates or something, not with git tags? Does Dependabot even work for the PSL updates?

I'd ask @lestaff, but Discourse says "[I] cannot mention group @lestaff", so tagging @jsha instead, sorry about that, not sure who to tag for Boulder related development questions :slight_smile:

6 Likes

I have been seeing similar inquiries in the Cloudflare Community for three new vn public SLDs. They began shortly before the PSL update and now it appears to be waiting for everything else to pick it up.

4 Likes

OK, Update Public Suffix List by mcpherrinm · Pull Request #6957 · letsencrypt/boulder · GitHub

That should be in production within the week, though of course there's no guarantee.

7 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.