Too many certificates already issued for: appello.care

Hello,

We are deploying individual certs for hosts of the form <blah>.hq.appello.care to different physical locations.

We sporadically create ~6 new certs per month at a max rate of one/12hrs (no more than 14/wk).

In parallel, we run certbot renew once a day and currently have ~92 issued certs within the domain, and over the coming years we hope to see this grow to many thousands.

As renewals seems to count towards the limit of 20 certs per week per domain, renewals are consuming the 20 weekly slots leaving no scope for further new certificates.

Is this what you expect of the default rate-limits, if so, could we hope to secure a rate-limit adjustment?

_mm

Hi,

You can try to request a rate extension by visiting this link:

Refer:Rate Limits - Let's Encrypt

Thank you

It is currently the expected behavior. The plan is to change it so that renewals don’t prevent you from issuing new certificates, but they’ve found fixing it to be surprisingly complicated, so it hasn’t happened yet.

The current workaround is careful scheduling, even though what you’re doing now is normally recommended.

The other workaround is to do something like get one wildcard certificate you deploy to all your servers, if it’s possible in your environment.

You can request a rate limit adjustment; I’m not certain if they’ll grant it.

3 Likes

@mnordhoff Thank you, it’s good to know this is an acknowledged issue. Is there an intended timeframe, such as weeks, months, etc. Or is there an issue ticket to watch for progress. If it’s likely to drag on, I’ll put some serious thought into options on our side.

The Boulder ticket you would want to watch for this issue is here: Improve renewal rate limiting · Issue #2800 · letsencrypt/boulder · GitHub

Unfortunately "Months" is the timeframe that probably best fits this one. It's a tricky bit of work and we have a lot of higher priority items on the go presently.

Thanks for your patience!

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.