SSL Certificate

Good afternoon! We work through the platform https://tilda.cc/, which issues security certificates for websites. On Friday, we changed the IP addresses of some subdomains, about 50 of them, because the Tilda platform requested it. Then the security certificates stopped working. Since Friday, we've been resending them every day without success. What's the problem? We've followed all the possible instructions from the Tilda service, but nothing helps. What's the problem?

Sites that aren't connecting to SSL

chelny.warpoint.ru
magnitogorsk.warpoint.ru
ivanovo.warpoint.ru
vologda.warpoint.ru
nnovgorod.warpoint.ru
ivanteevka.warpoint.ru
ulan-ude.warpoint.ru
bryansk.warpoint.ru
nevinnomyssk.warpoint.ru
kaluga.warpoint.ru
tomsk.warpoint.ru
nizhnevartovsk.warpoint.ru
vladivostok.warpoint.ru
astrakhan.warpoint.ru
arkhangelsk.warpoint.ru
samara.warpoint.ru
ukhta.warpoint.ru
penza-salut.warpoint.ru
sarapul.warpoint.ru
vlz.warpoint.ru
novosibirsk .warpoint.ru
franchise.warpoint.ru
smr.warpoint.ru
nalchik-elbrus.warpoint.ru
bratsk.warpoint.ru
nazran.warpoint.ru
ulyanovsk-naganova.warpoint.ru
cheboksary.warpoint.ru
pushkino.warpoint.ru
neftekamsk.warpoint.ru
orel.warpoint.ru
armavir.warpoint.ru
baksan.warpoint.ru
novocherkassk.warpoint.ru
new-urengoy.warpoint.ru
almetyevsk.warpoint.ru
sharya.warpoint.ru
velsk.warpoint.ru
mytischi.warpoint.ru
kogalym.warpoint.ru
usolsib.warpoint. ru
bugulma.warpoint.ru
volgodonsk.warpoint.ru
kislovodsk.warpoint.ru
essentuki.warpoint.ru
neftekumsk.warpoint.ru
obninsk.warpoint.ru
kovrov.warpoint.ru
korolyov.warpoint.ru
nyagan.warpoint.ru
p-kamchatsky.warpoint.ru
kolomna.warpoint.ru
oskol.warpoint.ru
nadym.warpoint.ru
zlatoust.warpoint.ru
chita.warpoint.ru
murmansk.warpoint.ru
yaroslavl.warpoint.ru
yaroslavl.dommody.warpoint.ru
saransk.warpoint.ru
kurgan.warpoint.ru
nalchik.warpo int.ru
khasavyurt.warpoint.ru
vladikavkaz.warpoint.ru
barnaul.warpoint.ru
kirov.warpoint.ru
orenburg.warpoint.ru
tuapse.warpoint.ru
elabuga.warpoint.ru
voronezh.warpoint.ru
tver.warpoint.ru
nvrsk.warpoint.ru
cherepovets.warpoint.ru
saratov.warpoint.ru
nmsk.warpoint.ru
kostroma.warpoint.ru
salekhard.warpoint.ru
tobolsk.warpoint.ru
tambov.warpoint.ru
lubercy.warpoint.ru
msk-ramenki.warpoint.ru
stankolit.warpoint.ru
msk-academ.warpoint.ru

Start here:

This check did not produce any results, and the problem seems to be with the data transfer services.

Tilda should reuse previously used certificates, but I suspect the engineering effort is not there. There's also an option for Tilda to apply for increased rate limits Rate Limits - Let's Encrypt

You got a single cert for a large number of domains about an hour ago. And, routine testing shows those domains are using this new cert. I did not check every name

It looks like Tilda just took longer to complete all the steps.

See: https://www.ssllabs.com/ssltest/analyze.html?d=kolomna.warpoint.ru&hideResults=on

Unfortunately, no. We tried to make a temporary hack, but it didn't work, and Tilda blocked our method. Can you help us?

can't you just get a wildcard cert about *.warpoint.ru and use that instead?

Since Tilda is a managed service, there's very little you can do on your end if they run into Let's Encrypt's rate limits. Perhaps pester their support team to better manage certificates, or to request increased rate limits, as I mentioned in my previous post. Or switch to another service entirely.

I read that the certificate renewal is 50 per week. Can you increase it to 110 for our domain, please?

The form to increase the rate limit is at the end of the rate limits documentation Rate Limits - Let's Encrypt although I'm not sure if it will be accepted given that your hosting provider is the one getting the certificates.

i think he can ask for rate limit adjust about warpoint.ru domain as owner of that domain.
not sure why OP can't use same wildcard for everything though

I have some familiarity with the Tilda service. I suspect that's their limitation — they support neither uploading of custom certificates, nor the use of DNS-01 challenge to get the wildcard themselves.

Why do you think this is a rate limit problem? A cert was issued yesterday morning with those domains. It is too bad the SSL Labs site has been down as it showed successful connects. (update: SSL Labs is back up. my prior link to that shows an A grade for kolomna.warpoint.ru)

From my own test server this morning I can also connect. Here's a partial from openssl commands

openssl s_client -connect chelny.warpoint.ru:443
openssl x509 -subject -issuer -dates -serial -fingerprint -noout

Certificate chain:

subject=CN = georgievsk.warpoint.ru
issuer=C = US, O = Let's Encrypt, CN = E8
notBefore=Feb  2 12:12:29 2026 GMT
notAfter=May  3 12:12:28 2026 GMT
serial=05FB4D2EC8DD36A81A75A4DE630FF5A6F29F
SHA1 Fingerprint=7B:1A:81:B1:BE:DA:20:3F:E1:EC:A4:A8:0D:2B:A4:20:17:EC:52:D9

subject=C = US, O = Let's Encrypt, CN = E8
issuer=C = US, O = Internet Security Research Group, CN = ISRG Root X1
notBefore=Mar 13 00:00:00 2024 GMT
notAfter=Mar 12 23:59:59 2027 GMT
serial=63959363C24E7082715918BFC3D7ED56
SHA1 Fingerprint=54:31:7E:B0:76:5F:0B:C6:74:85:51:84:EB:83:74:B4:19:9E:46:55

SANs:
almetyevsk.warpoint.ru
arkhangelsk.warpoint.ru
armavir.warpoint.ru
baksan.warpoint.ru
barnaul.warpoint.ru
bratsk.warpoint.ru
bryansk.warpoint.ru
bugulma.warpoint.ru
(... rest omitted ...)

I did notice that this is an ECDSA cert where the prior was RSA. That doesn't affect my openssl commands but could that be affecting Tilda ?

crt.sh often does not work reliably so here is a snip of recent cert results. Even looking at Dec30 issuance there isn't an obvious rate limit problem with 8 certs issued. They must have used different combinations of domain names to avoid the 5 identical certs per week limit.

image1809×657 147 KB

You can view the Feb2 cert here: crt.sh | 24138685889

As noted, right now I connect just fine using HTTPS. I get redirected from .ru to .com

curl -I  https://chelny.warpoint.ru
HTTP/1.1 301 Moved Permanently
Server: nginx/1.24.0 (Ubuntu)
Location: https://chelny.warpoint.com/

curl -I  https://chelny.warpoint.com
HTTP/2 200
date: Tue, 03 Feb 2026 13:24:24 GMT
etag: W/"11e60c-649eaba9ee7e6-gzip"
x-frame-options: SAMEORIGIN
x-ws-id: 8
x-host: chelny.warpoint.com
x-tilda-server: 16
x-tilda-imprint: 1b5a613d-43f4-4039-b06b-d60f0dd0e49e

If it's not a rate-limit issue, then I'm not sure what else it could be. In my experience Tilda requests certificates with SANs containing only www.[sub.domains.]example.com and [sub.domains.]example.com, which could easily run into limits. If my weak censys-fu is not completely wrong, there are already more than 50 certs for this domain in the last week.

oob_1IODm9o731×419 33.9 KB

Hmm. If that domain is shared service shouldn't it be on the Public Suffix List (PSL)? If not then yes it looks like it should complete a rate limit form as described earlier.

Looking just at chelny.warpoint.ru on censys for the past year I see some certs for just its apex and www subdomain but even more certs where it is just one of many domains in the cert. The most recent apex/www cert for that domain expired in Oct23 2025.

Definitely can be a problem if Tilda or the warpoint system needs that apex/www cert but at least with chelny this isn't a new problem. Nothing wrong with chelny itself (at least for certs) because it appears in a large cert issued Feb2.

Thank you all for your help! We solved the problem by switching our account to a different country, and the certificates started to be issued almost immediately, but we encountered a limit of 50 domains. Additionally, we tried to switch back to the previous country as an experiment, but it didn't work again. The issue lies with the tilde, as their data is not being transmitted or accepted properly on certain servers, and their technical support consists of clowns.

Glad you are starting to work around their problems.

That rate limit allows one more cert about every 3.5 hours. See: Rate Limits - Let's Encrypt

But, your cert request process has not been good for a long time. Below just covers back to last April. Frequently you were getting certs with just your main domain and its www. Normally you would renew a cert every 60 days but you got 8 certs from Apr thru Aug9 where you would normally just need 2.

Then the one from Aug31 expired Nov29. After that the certs for those two names were combined in a cert with a large number of names. Those should have been fine to use but also showed inconsistent renewal requests.

Your most recent cert looks like the ones you got during last summer.

All of these certs should have been fine to use for kolomna. There was never a period without a cert that included kolomna. I don't know what you mean by the "security certificates stopped working". Without more details about what the exact error would be needed for us to say more. But, whatever is getting certs has been doing it poorly for a long time.

image1893×1221 456 KB