TLD seems to be rate-limited in error


#1

I seem to be getting rate-limited by the top-level domain k12.sd.us. Perhaps k12.sd.us isn’t registered with Let’s Encrypt as a TLD? I have registered dozens of domains under k12.wi.us in the last couple of weeks, but this is the first one I have tried under k12.sd.us.

My domain is: www.alcester-hudson.k12.sd.us

I ran this command: ./getssl www.alcester-hudson.k12.sd.us

It produced this output:
creating domain csr - /opt/getssl/www.alcester-hudson.k12.sd.us/www.alcester-hudson.k12.sd.us.csr
Registering account
Verify each domain
Verifying www.alcester-hudson.k12.sd.us
copying challenge token to ssh:cms2:/home/cms4schools.com/www/alcesterhudson/.well-known/acme-challenge/1CEWovor0Wcl4MNVa6rdrJ0zEWuVnl3eD9i6gGkw4aY
Creating directory /home/cms4schools.com/www/alcesterhudson/.well-known/acme-challenge on cms2
Pending
Verified www.alcester-hudson.k12.sd.us
Verifying alcester-hudson.k12.sd.us
copying challenge token to ssh:cms2:/home/cms4schools.com/www/alcesterhudson/.well-known/acme-challenge/RWdsTyv-G_sG6p8Pr2aIQJOnKMRTWQz5JDjdQCP_x44
Creating directory /home/cms4schools.com/www/alcesterhudson/.well-known/acme-challenge on cms2
Verified alcester-hudson.k12.sd.us
Verification completed, obtaining certificate.
getssl: Sign failed: “detail”: “Error creating new cert :: too many certificates already issued for: k12.sd.us: see https://letsencrypt.org/docs/rate-limits/”,

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no


#2

Let’s Encrypt primarily relies on the Public Suffix List for this; someone from k12.sd.us asked for it to be removed from the list in 2013:

You’re in a bit of a pickle. Do you have good contacts with whatever DOE IT department runs k12.sd.us? (Now that I think of it, are you one of them?) It’s pretty much up to them to solve this.

They can:

If you can’t get the DOE officially on board, the Public Suffix List can’t do anything. I’m not sure if Let’s Encrypt would be willing to make an exception.


#3

Dang. I’m not a DOE contact for SD, unfortunately. I work primarily with WI districts and have contacts in this state, but this SD district is a bit of an outlier for me. I’ll see what I can do about working with SD authorities to get themselves uncommented on that list.

Thank you so much for such a thorough, well-researched answer! I had no idea that Public Suffix List was a thing!


#4

Hi @blurst_of_times

looking there,

https://transparencyreport.google.com/https/certificates?cert_search_auth=&cert_search_cert=&cert_search=include_expired:false;include_subdomains:true;domain:k12.sd.us;issuer_uid:4428624498008853827&lu=cert_search

You have 5 certificates with CN=lightspeed.brandonvalley.k12.sd.us from 2018-07-10 to 2018-07-11.

Normally, one certificate should be enough. 9 active certificates.

Is there a client buggy? Or are there more then one cronjob?


#5

@mnordhoff nailed it. The problem is that an admin for the domain k12.sd.us had it removed from the Public Suffix List. The domains under k12.sd.us are each operated by individual organizations. For example, I’m not associated with Brandon Valley school district. There are dozens of districts that each manage their own domains, and will each be requesting their own LE certs. For now, I’ll try to get the folks who run k12.sd.us to reqlinquish their Public Suffix List exception.


#6

It’s interesting to see that the original reason that they got removed was in order to use wildcard certificates for k12.sd.us (from a different CA). One of those certificates is still valid:

https://crt.sh/?Identity=*.k12.sd.us

I guess there’s some tension between different people’s desire to declare “k12.sd.us is all one single entity for trust purposes” or “k12.sd.us is many different entities for trust purposes” (interestingly both related to digital certificates).


#7

Let’s Encrypt wasn’t a thing when they requested to be removed from the PSL. I’m hoping the development of LE will be a reason for them to reconsider and hopefully reverse their policy.

We’ll see! I wonder if they’ll have to invalidate their wildcard cert if they get back on the PSL. If not, they can go back on the list and still take 2 years to figure out the technical ramifications before anything bites them.


#8

I now realize I should have redacted the verification token from the command output in my original message. Would it be possible to have that information deleted from the post?


#9

It’s a good intuition not to paste any authentication-related data on public web sites, but the authentication token here turns out not to be particularly sensitive. It’s a short-lived one-time-use random number which would allow someone with access to post content on your web site to confirm your specific certificate request. It can’t be used for any other purpose and doesn’t allow access to your site’s secret key or to your Let’s Encrypt account. So I wouldn’t worry about it.


#10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.