Renewals visible on Let's Debug.net

Domain is: ravendb.cloud. I have a question about Let's Debug, renewals and the DEBUG section. I looked for the answer, but they were either partial or without an answer at all.

From docs:
"Renewals are treated specially: they don’t count against your Certificates per Registered Domain limit."

Yet on the Let's Debug test result page I see at least few of our domains under "Certificates contributing to rate limits for this domain" section. Some of those domains are renewals.

So is the Let's Debug page buggy with showing renewals in the "rate limits for this domain" section?

Or do renewals actually count into that rate limit?

2 Likes

Welcome to the Let's Encrypt Community, Grzegorz :slightly_smiling_face:

Let me ask the developer...

@_az

This one's for you.

2 Likes

Hi @gregolsky and welcome to the LE community forum :slight_smile:

That answer has to be "no".

Difficult to say what is actually going on there without a domain to check it with.
You showed:

But I can't find anything wrong with it at Let's Debug.
letsdebug-toolkit
That said, I do see a boatload of issued wildcard subdomain certs:
crt.sh | ravendb.cloud
That said, I don't have anyway of knowing which of those are renewals. :frowning:

Is there an actual error message shown in the logs?
OR can you show the LD page that shows the issue?

1 Like

Hi, we got rate limited few times and we're wondering if the entries we see on Let's Debug are valid and if renewals count into the limits.

You said renewals do not count into that, so that means either Let's Debug shows wrong info or we have renewals that are not actually renewals? Yet if it's a certificate req with the same domain as last time, then that must be a renewal, no? Also if you need an example, the one having 'sop' in the name is a renewal for sure.

1 Like

Oh I meant this let's debug https://letsdebug.net/

1 Like

This may help clarify:

1 Like

Thanks, I can confirm those in question had the same SANs everytime new cert was requested.
Example: if you look for 'sop' on crt.sh showing certs for our domain and then use crt.sh just on that sop something subdomain, you'll see that this is a renewal.

2 Likes

I cannot describe it concisely but how Lets Debug appears to work is that it counts each cert with a unique name just once - regardless of how many times it was issued in the past week (or ever). So, you get 50 unique issuances per registered domain each week (by default).

But, each (second and subsequent) issuance of the same names is a duplicate and counts against the 5/week duplicate limit.

But, as @gregolsky notes, perhaps Lets Debug info is wrong. And, I could be too - I am not the developer. But, if I had to bet today this is how I would bet :slight_smile:

Update: Italicized and parenthesized text added in hopes of making my point clearer.

3 Likes

And you still aren't showing the error message or much more than you've already stated.

We all know what you meant.

It would save soo much time if you would just show the error.
We don't get $paid$ to do any of this.

2 Likes

Yes, there's a problem with Let's Debug's cert-search for domains that have more than 10,000 certificates. At the time I wrote the query, I couldn't identify a database index that would let me cheaply pre-filter only unexpired certificates, and I had to balance that with really wanting to avoid being an undue burden on the crt.sh public Postgres interface. So domains with a high certificate count get wrong results unfortunately.

It looks like Rob Stradling may have changed/added some things in the meantime, so it's quite possible I can rewrite the query to be accurate without being abusive. But I don't know when I will find the time to do that.

5 Likes

@rg305 Sorry, here's what I saw:

But the some certs there listed under Verbose are in fact renewals which can be confirmed using crt.sh.

Right now "Show verbose information" shows 57 certs and includes some certs renewed last night.

2 Likes

So does this mean the error message here is wrong?

2 Likes

Some of those domains are renewals.

IIRC for a order to be considered be a renewal it need to have same set of domains, like duplicate certificate rate limit. partical match doesn't apply.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.