The other way to do it is to use a fresh ACME account every time.
How can I do it?
If everybody was doing that, Let's Encrypts systems would have their load increased a LOT. IMO that's not something you should do.
Well, ok, I agree, but in current situation, as I can see there is no difference between manual renewing and automatic. I think error wil appear in both.
It's not a long term solution, but certbot unregister before creating/renewing a certificate would do it. But remember:
You can create a maximum of 10 Accounts per IP Address per 3 hours
Yes, you are right. Not a long-term solution.
If I unregister account will current certificates be active or not?
Will wait for answer from CF, but as I think solution is only divide SAN
certificate for two with less number of names. It makes harder to my project,
but it may be only one solution.
Deactivating your ACME account won't affect the status of any certificates. Also if you have any rate limit exemptions from Let's Encrypt, you shouldn't deactivate your account.
Without getting into any design details...
Have you tried using any other [free] CAs?
No. But I think its not the problem of CA.
Then, can we agree "the problem" is in the process [or design]?
What do you mean by design? Which one?
Design of how LE obtain certs? May be.
But imho its common problem of LE and DNS providers.
I'd say the "design" flaw is in:
DNS + firewall/IPS
Something is "blocking" when it should not be.
Negative.
That may be ["common"].
But LE is simply following the rules [per RFCs].
So... the issue seems to be with the DNS implementation [and likely their allowed access rates].
Agree!!!
Well then, "we're preaching to the choir".
The people that need to hear about this are the ones managing the DNS systems that may be causing this problem.
So its time to think about creating alternative platform ))) Why not!?
? ? ?
Have you tried raising an issue/concern with your DSP?
Sure. Ticker already opened, but not answered yet. Will post answer from CF here.
why not use a wildcard like *.vpn.hide.expert ?
I'm using this cert on Strongswan servers. Strongswan doesn't work with wildcard certs.
Why wouldn't you use a custom private CA for your IPsec certificates?
Custom CA is not working on Apple devices (IOS, MacOS).
It can work if u add them by hand into system. I havent such ability.
My app have to work out-of-box.
Thanks for indulging my question. While I have other questions about the architecture behind your strategy, I recognize that this really isn't the appropriate place for that conversation and I don't want to further distract from your efforts.
Answer from CF:
Hi
Thanks for contacting Cloudflare Support.
Our team is currently experiencing higher than normal demand for support services which is causing delayed response to our customers. Please accept our apologies for the delay as we work through these requests as soon as we can.
In the meantime, we suggest consulting the community. Many similar issues are regularly discussed in the Cloudflare Community, where you can receive rapid feedback.
Our Community is full of experts, Cloudflare employees, and customers helping one another resolve issues. Most customer posts received a reply within 24 hours.
And thats all.
Will try ask CF community, why not.