"Too many certificates already issued" - but I haven't created any new ones in a long while

Hi team

Love the service, but I am now getting “Error creating new cert :: Too many certificates already issued for bouncycastlenetwork.com” when I try creating any new certificate with LetsEncrypt-Win-Simple

I’ve not made any new certificates in over a week so definitely shouldn’t be hitting the limit (although I do have a lot of renewals each week)

Your help is much appreciated <3

Thanks

Stefan

Bouncy Castle Network

check https://crt.sh/?q=%.bouncycastlenetwork.com

It looks like you obtained 15 on Friday, and another 5 in the 3 days before that.

Ah, but those are renewals - not new certificates. I thought renewals weren’t rate-limited?

Well, there are limits for renewals, but they’re separate (basically you can’t renew the “same” certificate more than a few times per week, which obviously is pointless) and would give a different error message.

I agree that the one certificate I looked at seems to be a renewal. Huh. It is conceivable there’s a bug.

@jsha could you take a look and see if renewals are being counted improperly for rate limiting purposes here?

The logic around renewals vs new certificates is a little non-intuitive. I've tried to convey it at Rate Limits - Let's Encrypt

To make sure you can always renew your certificates when you need to, we have a Renewal Exemption to the Certificates per Registered Domain limit. Even if you’ve hit the limit for the week, you can still issue new certificates that count as renewals. An issuance request counts as a renewal if it contains the exact same set of hostnames as a previously issued certificate. This is the same definition used for the Duplicate Certificate limit described above. Renewals are still subject to the Duplicate Certificate limit.

Specifically, you get the renewal exemption only if you've already hit the Certificates per Registered Domain limit for the week. If you do all your renewals first, then try to issue new certificates, you will hit the limit. I realize this is a bit awkward to work around, but my recommendation would be that if you have a bundle of certificates to issue, and to renew, do the issuances first and then the renewals.

Thanks for the explanation, @jsha.

I know I didn’t understand this previously and even now I do I must say it’s not going to be easy to explain to less sophisticated users. Is there any chance Boulder can be changed to do the more intuitive thing here?

It’s fairly awkward to change. The big advantage of the current model is that it can be calculated relatively simply by just looking at the current state of the database of issued certificates, without introducing secondary tables. I agree that it would be nice to have, but I think we would have to see it causing problems for a larger number of users to justify the engineering investment.

Thanks for the clarification folks

Keep up the great work :slight_smile:

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.