TLD seems to be rate-limited in error

I seem to be getting rate-limited by the top-level domain Perhaps isn’t registered with Let’s Encrypt as a TLD? I have registered dozens of domains under in the last couple of weeks, but this is the first one I have tried under

My domain is:

I ran this command: ./getssl

It produced this output:
creating domain csr - /opt/getssl/
Registering account
Verify each domain
copying challenge token to ssh:cms2:/home/
Creating directory /home/ on cms2
copying challenge token to ssh:cms2:/home/
Creating directory /home/ on cms2
Verification completed, obtaining certificate.
getssl: Sign failed: “detail”: “Error creating new cert :: too many certificates already issued for: see”,

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

Let’s Encrypt primarily relies on the Public Suffix List for this; someone from asked for it to be removed from the list in 2013:

You’re in a bit of a pickle. Do you have good contacts with whatever DOE IT department runs (Now that I think of it, are you one of them?) It’s pretty much up to them to solve this.

They can:

If you can’t get the DOE officially on board, the Public Suffix List can’t do anything. I’m not sure if Let’s Encrypt would be willing to make an exception.

1 Like

Dang. I’m not a DOE contact for SD, unfortunately. I work primarily with WI districts and have contacts in this state, but this SD district is a bit of an outlier for me. I’ll see what I can do about working with SD authorities to get themselves uncommented on that list.

Thank you so much for such a thorough, well-researched answer! I had no idea that Public Suffix List was a thing!

Hi @blurst_of_times

looking there,;include_subdomains:true;;issuer_uid:4428624498008853827&lu=cert_search

You have 5 certificates with from 2018-07-10 to 2018-07-11.

Normally, one certificate should be enough. 9 active certificates.

Is there a client buggy? Or are there more then one cronjob?

@mnordhoff nailed it. The problem is that an admin for the domain had it removed from the Public Suffix List. The domains under are each operated by individual organizations. For example, I’m not associated with Brandon Valley school district. There are dozens of districts that each manage their own domains, and will each be requesting their own LE certs. For now, I’ll try to get the folks who run to reqlinquish their Public Suffix List exception.

It’s interesting to see that the original reason that they got removed was in order to use wildcard certificates for (from a different CA). One of those certificates is still valid:*

I guess there’s some tension between different people’s desire to declare “ is all one single entity for trust purposes” or “ is many different entities for trust purposes” (interestingly both related to digital certificates).

Let’s Encrypt wasn’t a thing when they requested to be removed from the PSL. I’m hoping the development of LE will be a reason for them to reconsider and hopefully reverse their policy.

We’ll see! I wonder if they’ll have to invalidate their wildcard cert if they get back on the PSL. If not, they can go back on the list and still take 2 years to figure out the technical ramifications before anything bites them.

I now realize I should have redacted the verification token from the command output in my original message. Would it be possible to have that information deleted from the post?

It’s a good intuition not to paste any authentication-related data on public web sites, but the authentication token here turns out not to be particularly sensitive. It’s a short-lived one-time-use random number which would allow someone with access to post content on your web site to confirm your specific certificate request. It can’t be used for any other purpose and doesn’t allow access to your site’s secret key or to your Let’s Encrypt account. So I wouldn’t worry about it.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.