Domain is: ravendb.cloud. I have a question about Let's Debug, renewals and the DEBUG section. I looked for the answer, but they were either partial or without an answer at all.
From docs:
"Renewals are treated specially: they don’t count against your Certificates per Registered Domain limit."
Yet on the Let's Debug test result page I see at least few of our domains under "Certificates contributing to rate limits for this domain" section. Some of those domains are renewals.
So is the Let's Debug page buggy with showing renewals in the "rate limits for this domain" section?
Or do renewals actually count into that rate limit?
Hi @gregolsky and welcome to the LE community forum
That answer has to be "no".
Difficult to say what is actually going on there without a domain to check it with.
You showed:
But I can't find anything wrong with it at Let's Debug. letsdebug-toolkit
That said, I do see a boatload of issued wildcard subdomain certs: crt.sh | ravendb.cloud
That said, I don't have anyway of knowing which of those are renewals.
Is there an actual error message shown in the logs?
OR can you show the LD page that shows the issue?
Hi, we got rate limited few times and we're wondering if the entries we see on Let's Debug are valid and if renewals count into the limits.
You said renewals do not count into that, so that means either Let's Debug shows wrong info or we have renewals that are not actually renewals? Yet if it's a certificate req with the same domain as last time, then that must be a renewal, no? Also if you need an example, the one having 'sop' in the name is a renewal for sure.
Thanks, I can confirm those in question had the same SANs everytime new cert was requested.
Example: if you look for 'sop' on crt.sh showing certs for our domain and then use crt.sh just on that sop something subdomain, you'll see that this is a renewal.
I cannot describe it concisely but how Lets Debug appears to work is that it counts each cert with a unique name just once - regardless of how many times it was issued in the past week (or ever). So, you get 50 unique issuances per registered domain each week (by default).
But, each (second and subsequent) issuance of the same names is a duplicate and counts against the 5/week duplicate limit.
But, as @gregolsky notes, perhaps Lets Debug info is wrong. And, I could be too - I am not the developer. But, if I had to bet today this is how I would bet
Update: Italicized and parenthesized text added in hopes of making my point clearer.
Yes, there's a problem with Let's Debug's cert-search for domains that have more than 10,000 certificates. At the time I wrote the query, I couldn't identify a database index that would let me cheaply pre-filter only unexpired certificates, and I had to balance that with really wanting to avoid being an undue burden on the crt.sh public Postgres interface. So domains with a high certificate count get wrong results unfortunately.
It looks like Rob Stradling may have changed/added some things in the meantime, so it's quite possible I can rewrite the query to be accurate without being abusive. But I don't know when I will find the time to do that.
IIRC for a order to be considered be a renewal it need to have same set of domains, like duplicate certificate rate limit. partical match doesn't apply.
