We asked for (and got) and increase of the weekly certificates that we are generating for subdomains.
However, it doesn’t seem to take.
We generated about 20 of these so far, and we started getting 429 rate limits errors.
The error is:
Error creating new cert :: too many certificates already issued for: ravendb.net (429)
Rate limits are imposed on domain names - how many subdomains you use doesn’t matter.
See https://crt.sh/?q=%.ravendb.net for list of FQDNs that were successful.
That would have been my expectation as well, the rate limit really threw us off here, and that was the only thing that made sense. If this is indeed the case (any level) that would be wonderful once we sort out the rate limit issue.
I'll inquire with our operations team about this thread.
Edit: checking the entry it looks like this was a mistake on our end. It was added as dbs.local.ravendb.net when it should have been ravendb.net for this rate limit. I've let our operations team know, they will investigate.
If the rate limit exemption was for the "Certificates per registered domain" rate limit it would need to be added for "ravendb.net". It applies to the eTLD+1.
Another question, the raised limit is for the domain, right? It is not tied to a specific account key.
The reason I’m asking is that I don’t believe that there has been any key that I specified that would get the rate limit increase, so I assume that any request to the domain would enjoy the raised limit.
Is there a reason not to use an account ID in this case @ayende? In general we prefer to rate limit off of account if at all possible.
That said, this rate limit was not set for an account ID, only the domain name. As has been already stated, there was some internal confusion as to whether we could specify subdomains. The rate limit on certificates per name can only be set for a TLD+1, so this would need to be for ravendb.net, which, if you don’t control all of ravendb.net, will mean others could issue certs eating into that rate limit.
I’m controlling all of ravendb.net, so that is not an issue.
Here is the full story. I’m build a database that want to use HTTPS, but it is usually deployed inside local networks, without being able to expose them externally.
In order to save the trouble of the admin the trouble of managing certificates manually, we take that on ourselves.
The end user will start the challenge process, and then call to us with a request to reserve a particular subdomain on our end.
The is effectively the username for that particular user and is reserved just for them. Then they can place nodes (a.ayende, b.ayende, etc) under that.
The local server at the customer site then call to our website with the LE DNS details and let the local server know that.
The local server then complete the LE challenge and get the certificate.
The idea is that the certificate itself never hit our servers and is completely within the customer’s own network.
That means, of course, that each local server is going to be using its own key.
We could change things so the central server will handle the entire process and hand the certificate back to the user from the central location, but I would rather avoid it unless this is required.
As an aside, thank you for the quick responses. As you can imagine, this has been a spanner in the works for us and I really appreciate your support.
I have to say though that I’m not following what is going on. The rate limit was applied, I understand, but both x.y.dbs.local.ravendb.net and x-y.dbs.local.ravendb.net seem to have hit the rate limit.
Is there current a domain name pattern that I can use that will use the apply to the rate limit?
The rate limit was set as dbs.local.ravendb.net in the rate policy.
Boulder ignores this as it is expecting only a TLD+1.
What should be in the policy is ravendb.net.
At this point there is effectively no rate limit increase in place since Boulder ignored the unexpected entry with subdomains.
Okay, that make more sense. Is it possible to move the rate limit increase to “ravendb.net” and generate the nested domains as we want to?
I don’t have an issue with having the limit on a higher level.
Hi @ayende, that's exactly what @isk is working on They will provide an update once the rate limit for ravendb.net is in place, allowing issuance for the nested domains.
They will provide an update once the rate limit for