Too many certificates already issued for: dlinkddns.com","status":429


#1

i need a ssl certificate for a my web site over ddns dlinkddns.com. issue failed with error

Certificate signature failed. Certificates per Domain is currently 5 per 7 days. If there is a rate limiting error at the end of this paragraph. Try asking Lets Encrypt
to increase the limit or wait 7 days. Rate limits should increase in
the near future. {“type”:“urn:acme:error:rateLimited”,“detail”:“Error
creating new cert :: Too many certificates already issued for:
dlinkddns.com”,“status”:429}

may you consider to cancel limit for service for ddns? most people use dlinkddns, so how can use lets encrypt if you dont change your policy for this site?


#2

Please run a simple search on this forum. The question was asked (and already answered) dozens of times. You may want to start reading

https://community.letsencrypt.org/t/quick-start-guide/1631?source_topic_id=10886

Here’s there’s also a collection of identical requests

and also the thread immediately below yours


#3

We are still considering other options for dynamic DNS providers; as you can see in those threads some of them now have been added to the Public Suffix List and are (or will be) exempt from rate limiting, but we and the Public Suffix List maintainers are interested exploring other mechanisms for exempting services like these or changing how the rate limit applies to them.


#4

Hi, i created an issue https://github.com/publicsuffix/list/issues/149 for this.
Even if there are considerations about an new system the domain should be on the PSL.
Because this does cookie protection.

@schoen maybe there should be an own category for “dyn/free” dns problems with an pinned article
that describe how to fill an request on the publicsuffix list.

@weppos maybe it is an good idea if there is an form there user can easy submit new domains ?

  • Fields:
  • Domain-Name
  • URL Describing the Service
  • Mail of the Submitter (used for verification and protection)

#5

@tlussnig I’m working on writing some docs about the submission policy for TLS and private domains for the PSL. In the past the process was handled via email, and we moved to GitHub issues less than one year ago. For years the maintenance has been a very low activity, it was mostly a matter of dealing with registries and a few private entities who were aware of the PSL existence.

For better or for worse, the public adoption by Let’s Encrypt (specifically the use for rate-limiting) and the increasing interest in SSL/TLS certificates in general has increased the maintenance load specifically related to the private domains.

Per our policy, we do not accept submissions for private domains that are not submitted or confirmed by the owner of the domain. Therefore, we will not consider #149 unless it is explicitly submitted by Dyn. We’re also working to formalize a more efficient validation mechanism, since the manual email-based validation doesn’t scale well (specifically for private domains).


#6

@weppos so in short unless a provider of such “open” domains submits the entry it will not be made, well that’s certainly too bad, espeicially for well known stuff like dyn.


#7

@My1 like it or not, the owner control the domain and only the owner should have the right to decide how the domain should behave.

Here’s a recent example of a case where user vision is not the same of the owner vision.

For this reason, we can’t afford to include domains based on user input without the owner involvement, regardless how popular or well known is the domain.


#8

Hi the docs are only one part i think. Since not every user has an GitHub account and for most people using “sub”-domains it would be overkill to create an account. There should be an better way. So here is an look from the user perspective:

  1. I got an “domain” that is validated via LE that i am responsible for it.
  2. There is an list that used by the browser that take care that if i have A.some-domain.tld that not B.some-domain.tld can set cookies for me. This is also an really big security issue.

So there should be an easy way to get some-domain.tld into the list.
For example


#9

please, think about who can be really interested about a free ssl certificates.

sure not companies o professional which can afford expense tu buy domain from hosting services, that can spend little much money to have a SSL certificates from commercial Certification Auth.

i think that target for free SSL certificates and Lets encrypt are (except passionate in cryptoservice) individuals/family that want to secure their little service or cloud running on their own server like synology or qnap, hardware now at affordable cost.

So, for a family which has his own modem router provider (as dlink) which give free ddns services autoupdate by modem router, think that have dlinkddns.com in site name is acceptable for free service.

In this scenario, why let encrypt dont want to help to spread SSL to individual and family with low budget? if i have budget to pay an hosting site and an address like www.mysite.com, very often my hosting site company offer a ssl services and i have non interest to use lets encrypt.
i use a free service if i have no budget left!

So, in a few word, you should consider to eradicate limit to issue certificates to well-known domain like dlinkddns.com, frizt, unchaining matter like publicsuffix list, which is not related to enchiper.


#10

Hi @canada, we are definitely trying to find a long-term solution that scales better and doesn’t result in problems for users of services like this.

Right now it’s clear that users of several free DDNS services are not being well-served by Let’s Encrypt because of the rate limits. I hope we can find a way to improve that.


#11

You should keep in mind about the cross subdomain cookie problem with these DNS services.
Also it is not valid to say that only small side use LE. If you look at Let's Encrypt usage in the Alexa Top 1 Million most visited sites you can see that 1234 domain of the top 1mio.
Also use LE.


#12

“in the long run we are all dead” (John Maynard Keynes) :slightly_smiling:

you should think to quick-win road, to improve in next month.

If you can help me to understand cross subdomain problem for a family/individual site/cloud server… i will be happy (not joke)


#13

@schoen is the solution related to “https://github.com/letsencrypt/boulder/pull/1480” ?
@canada The cross domain cookie problem is that site a.domain.tld can set an cookie for domain.tld
and than if you visit b.domain.tld the server receive the cookie from the other domain.
The PSL tell the browser what are “master” domains. For these domain you can not set an cookie.
Ex: “org” or “co.uk


#14

I think so, although I haven’t looked very closely.


#15

Businesses that are even aware of Lets Encrypt would certainly appreciate using the service. If you look at the historical business model for CAs, the cost of a single certificate itself is not so much, but there is overhead in getting and maintaining the certificate. Some businesses accidentally let certificates expire. Some have even let their domains expire inadvertently.

The most significant benefit for business, IMO, is the automation. And many businesses have a number of certificates. For those with a lot of them, then a wildcard certificates is more economical and, sure, many/most can afford that. However, there is the management aspect again. In a large company, control over a wildcard certificate might be an issue.

Don’t discount business use. I expect that Let’s Encrypt matures, software to access it becomes more pervasive, etc., businesses will take advantage of it.


#16

You forgot to mention that there are two buisssnes cases one is the ca selling certificates. The other is company use certificates to gain trust by consumer. Only one with small number of companies want care that cert should stay extensive.


#17

But… what about for my certificate SSL at xxx.dlinkddns.com?


#18

@canada, we want to find a better solution for dynamic DNS providers but we haven’t deployed one yet. I’m sorry for the delay.


#19

Maybe an link to the discussion about the better solution would be helpful ?


#20

tlussnig, I dont understand