I seem to be getting rate-limited by the top-level domain k12.sd.us. Perhaps k12.sd.us isn’t registered with Let’s Encrypt as a TLD? I have registered dozens of domains under k12.wi.us in the last couple of weeks, but this is the first one I have tried under k12.sd.us.
Dang. I’m not a DOE contact for SD, unfortunately. I work primarily with WI districts and have contacts in this state, but this SD district is a bit of an outlier for me. I’ll see what I can do about working with SD authorities to get themselves uncommented on that list.
Thank you so much for such a thorough, well-researched answer! I had no idea that Public Suffix List was a thing!
@mnordhoff nailed it. The problem is that an admin for the domain k12.sd.us had it removed from the Public Suffix List. The domains under k12.sd.us are each operated by individual organizations. For example, I’m not associated with Brandon Valley school district. There are dozens of districts that each manage their own domains, and will each be requesting their own LE certs. For now, I’ll try to get the folks who run k12.sd.us to reqlinquish their Public Suffix List exception.
I guess there’s some tension between different people’s desire to declare “k12.sd.us is all one single entity for trust purposes” or “k12.sd.us is many different entities for trust purposes” (interestingly both related to digital certificates).
Let’s Encrypt wasn’t a thing when they requested to be removed from the PSL. I’m hoping the development of LE will be a reason for them to reconsider and hopefully reverse their policy.
We’ll see! I wonder if they’ll have to invalidate their wildcard cert if they get back on the PSL. If not, they can go back on the list and still take 2 years to figure out the technical ramifications before anything bites them.
It’s a good intuition not to paste any authentication-related data on public web sites, but the authentication token here turns out not to be particularly sensitive. It’s a short-lived one-time-use random number which would allow someone with access to post content on your web site to confirm your specific certificate request. It can’t be used for any other purpose and doesn’t allow access to your site’s secret key or to your Let’s Encrypt account. So I wouldn’t worry about it.