I seem to be getting rate-limited by the top-level domain k12.sd.us. Perhaps k12.sd.us isn’t registered with Let’s Encrypt as a TLD? I have registered dozens of domains under k12.wi.us in the last couple of weeks, but this is the first one I have tried under k12.sd.us.
Let’s Encrypt primarily relies on the Public Suffix List for this; someone from k12.sd.us asked for it to be removed from the list in 2013:
You’re in a bit of a pickle. Do you have good contacts with whatever DOE IT department runs k12.sd.us? (Now that I think of it, are you one of them?) It’s pretty much up to them to solve this.
They can:
Change their mind and ask to be re-added to the Public Suffix List. https://k12.sd.us/ is still using a *.k12.sd.us wildcard certificate, so I’m skeptical they’ll want to do that.
If you can’t get the DOE officially on board, the Public Suffix List can’t do anything. I’m not sure if Let’s Encrypt would be willing to make an exception.
Dang. I’m not a DOE contact for SD, unfortunately. I work primarily with WI districts and have contacts in this state, but this SD district is a bit of an outlier for me. I’ll see what I can do about working with SD authorities to get themselves uncommented on that list.
Thank you so much for such a thorough, well-researched answer! I had no idea that Public Suffix List was a thing!
@mnordhoff nailed it. The problem is that an admin for the domain k12.sd.us had it removed from the Public Suffix List. The domains under k12.sd.us are each operated by individual organizations. For example, I’m not associated with Brandon Valley school district. There are dozens of districts that each manage their own domains, and will each be requesting their own LE certs. For now, I’ll try to get the folks who run k12.sd.us to reqlinquish their Public Suffix List exception.
It’s interesting to see that the original reason that they got removed was in order to use wildcard certificates for k12.sd.us (from a different CA). One of those certificates is still valid:
I guess there’s some tension between different people’s desire to declare “k12.sd.us is all one single entity for trust purposes” or “k12.sd.us is many different entities for trust purposes” (interestingly both related to digital certificates).
Let’s Encrypt wasn’t a thing when they requested to be removed from the PSL. I’m hoping the development of LE will be a reason for them to reconsider and hopefully reverse their policy.
We’ll see! I wonder if they’ll have to invalidate their wildcard cert if they get back on the PSL. If not, they can go back on the list and still take 2 years to figure out the technical ramifications before anything bites them.
I now realize I should have redacted the verification token from the command output in my original message. Would it be possible to have that information deleted from the post?
It’s a good intuition not to paste any authentication-related data on public web sites, but the authentication token here turns out not to be particularly sensitive. It’s a short-lived one-time-use random number which would allow someone with access to post content on your web site to confirm your specific certificate request. It can’t be used for any other purpose and doesn’t allow access to your site’s secret key or to your Let’s Encrypt account. So I wouldn’t worry about it.