Renwals count against domains?


#1

We use Letsencrypt on a bunch of subdomains at my workplace and it seems that we have crossed a threshold where renewals are preventing us from being able to issue new certificates. We add far less than 1 new domain per week on average, however every time se need to we are blocked because we have already renewed 10+ pre-existing domains. Why do renewals count against me here? Is it possible to raise the limits for us so we don’t keep getting stuck in this odd state? Do the counters reset on a specific day so I can perform my renewals all right before that time to make sure we don’t lose the ability to deploy new domains?

[Also, letsencrypt is awesome and y’all are amazing] =)


#2

Hi @liquidgecka,

Something that can be counterintuitive is that renewals aren’t prevented by the rate limits, but they do count against them. Therefore, you need to perform new issuances before renewals in a given week. This allows you to continually increase the number of names covered by Let’s Encrypt certificates.

There was an attempt to eliminate this order dependency a couple of months ago, but I believe it was rolled back and the original behavior was restored.

The renewal counter uses a rolling 7-day period rather than resetting on a particular day. If you need to check the current rate limit status, a useful tool is lectl:


#3

sigh… that really sucks.

Right now if I have certificates renewing all at different times (assuming a linear distribution over time) it means that I will be limited to at most 128 certificates before it becomes impossible to add any new certificates because I will always be over the 10 limit based on renewals alone even before I get to the new certificate options.

Using the command line tools is it possible to force a renewal prior to its normal expiration? This way I could at least sync up all of the renewals to happen in the same window. Without that it becomes impossible to have more than something like 893 certificates because you can’t create a new certificate at the same exact date and therefor will always have to try before the sliding window starts again.

(for the math: renewal every 90 days == 1 renewal every 12.857 windows. 10 renewals per window == 128.5 total certs)


#4

With Certbot you can use --force-renew. This applies to certbot renew (to force renewal of all certificates) and also to certbot certonly (to force renewal of an individual certificate).

I don’t remember if you can use --cert-name to specify an individual certificate with certbot renew to prevent it from trying to renew everything. @erica, did you happen to add that feature in work related to the aftermath of the CMIP project?

A kind of ugly hack would be to change renew_before_expiry in all “old” certs to a value equal to or greater than the cert lifetime, which causes certbot renew to want to renew that particular cert whenever it’s run, but not to change this in “new” certs. Then you can run certbot renew at a controlled time—perhaps not every day—to cause all “old” certs to be renewed at once.


#5

Yes, --cert-name can be used with renew.

If any of the subdomains can share a certificate, this would help with the rate limiting.


#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.