Too many certificates already issued for: appello.care


#1

Hello,

We are deploying individual certs for hosts of the form <blah>.hq.appello.care to different physical locations.

We sporadically create ~6 new certs per month at a max rate of one/12hrs (no more than 14/wk).

In parallel, we run certbot renew once a day and currently have ~92 issued certs within the domain, and over the coming years we hope to see this grow to many thousands.

As renewals seems to count towards the limit of 20 certs per week per domain, renewals are consuming the 20 weekly slots leaving no scope for further new certificates.

Is this what you expect of the default rate-limits, if so, could we hope to secure a rate-limit adjustment?

_mm


#2

Hi,

You can try to request a rate extension by visiting this link:

Refer:https://letsencrypt.org/docs/rate-limits/#Overrides

Thank you


#3

It is currently the expected behavior. The plan is to change it so that renewals don’t prevent you from issuing new certificates, but they’ve found fixing it to be surprisingly complicated, so it hasn’t happened yet.

The current workaround is careful scheduling, even though what you’re doing now is normally recommended.

The other workaround is to do something like get one wildcard certificate you deploy to all your servers, if it’s possible in your environment.

You can request a rate limit adjustment; I’m not certain if they’ll grant it.


#4

@mnordhoff Thank you, it’s good to know this is an acknowledged issue. Is there an intended timeframe, such as weeks, months, etc. Or is there an issue ticket to watch for progress. If it’s likely to drag on, I’ll put some serious thought into options on our side.


#5

The Boulder ticket you would want to watch for this issue is here: https://github.com/letsencrypt/boulder/issues/2800

Unfortunately “Months” is the timeframe that probably best fits this one. It’s a tricky bit of work and we have a lot of higher priority items on the go presently.

Thanks for your patience!


#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.