Subdomains certificates are limited by parent domain?


#1

Hello,

ive hit rate limit for domain example.com. So i tried issue certificate for mydomain.example.com only, but i am still getting:

“type”:“urn:acme:error:rateLimited”,
“detail”:“Error creating new cert :: Too many certificates already issued for: example.com”,
“status”:429

So this limit apply for parent domain AND all subdomains together? Isn’t it bug?


#2

The rate limit applies to all sub domains. You can add up to 100 sub-domains on one cert though if needed.


#3

Thanks! Is it Beta only thing? I cant find anything about it and this will make some proper usage diqualified…


#4

You can find information about rate limiting here:
https://community.letsencrypt.org/t/quick-start-guide/1631?source_topic_id=7148

As mentioned, you can have multiple sub domains for the same certificate. That helps quiet a bit in nos use cases.


#5

Ha, thanks! (services like .example.com are dependent on wildcard cert or unlimited subdomains certs and nothing seems possible right now)


#6

Is’t very much possible to generate one certificate with a heck of a lot of subdomains. What is not possible, is to generate a heck of a lot of certificates with just one subdomain :wink:

Now, you’ll have to wait 7 days (or less of your first certificate was issues earlier) for the rate limit to be removed.


#7

The problem with the suggestion to add additional sub-domains to one certificate is that when the sub-domains are on separate servers they won’t validate.

Even with careful timing of certificate requests, it is only possible to keep 64 sub-domain certificates issued or renewed within a 90 day window. Some of us have the potential need for hundreds of sub-domains running on separate servers.


#8

Why? You can use the manual plugin. Or use something fancy as SSHFS if you want some form of automation…


#9

A bit, yes. The rate limiting is quite strong in the beta. When LE finally gets stable they’ll change this limit.
More information here: https://community.letsencrypt.org/t/quick-start-guide/1631

BTW this issue here is also the reason why some dynamic DNS services may be problematic, but there are things the service providers can do to solve this. More information here: