Too many certificates already issued - rate limit?


#1

@bmw @jsha @kelunik

From https://community.letsencrypt.org/t/beta-program-announcements/1631

Rate limit on registrations per IP is now 10 per 3 hours up from 10 per day.
Rate limit on certificates per Name is now 10 per 59 days up from 6 per 59 days.

is that per Name as in common name of SSL certificate or per top level domain + subdomains ? As I ran into this at https://github.com/letsencrypt/letsencrypt/issues/1569 and I don’t have 10 ssl certificates for the common name i tried le10.http2ssl.xyz but do have a total of 10 ssl certificates if you include all top level and subdomains

from https://crt.sh/?Identity=%&iCAID=7395

2015-11-15      2016-02-13      CN=le10.http2ssl.xyz
2015-11-15      2016-02-13      CN=le10.http2ssl.xyz
2015-11-15      2016-02-13      CN=le10.http2ssl.xyz
2015-11-15      2016-02-13      CN=le10.http2ssl.xyz
2015-11-15      2016-02-13      CN=le10.http2ssl.xyz
2015-11-15      2016-02-13      CN=le10.http2ssl.xyz
2015-11-04      2016-02-02      CN=le2.http2ssl.xyz
2015-10-31      2016-01-29      CN=le8.http2ssl.xyz
2015-10-27      2016-01-25      CN=http2ssl.xyz
2015-10-27      2016-01-25      CN=le1.http2ssl.xyz

I see I have 6x le10.http2ssl.xyz issued SSL certificates so hit the old rate limit ?


RateLimited for a specific domain
Failures registering new subdomain certs in public beta
#2

Ah looks like i found my problem the auto renewal cronjob I set was running more frequently than every 2 months so ran into the 10 registrations per IP per 3hr limit :sweat_smile:

guess need to wait another day for rate limit to reset :slight_smile:


#3

It’s per top level domain (aka “registered domain”) based on the Public Suffix List. It looks like you have 10 certificates under http2ssl.xyz, so you have hit the limit. Hopefully you can continue testing against staging!


#4

cheers @jsha… my cronjob mistakenly tried auto renewal every 1 min hehe… was giving LE servers a work out :innocent:

all fixed up now so auto renew is every 2 months :smiley:

But looks like i’ve have to continue tests on staging instead :frowning:


#5

Hi, with 90 days lifetime this limits the certificates to 15 certs per “domain”.

  • domain.tld
  • www.domain.tld
  • imap.domain.tld
  • pop3.domain.tld
  • smtp.domain.tld
  • svn.domain.tld
  • community.domain.tld
  • chat.domain.tld
    Are already 8 Domains that mean more than 1/2 of the possible.
    While other firms that make money with their are excluded from the limit
  • dyndns.org
  • blogspot.
    And for example wikipedia.org is limited to 15 country postfixes ?

#6

“During this beta test we have very tight rate-limiting in place. We plan to loosen these limits as the beta proceeds.”

The rate limit would be reduced in production. I imagine to levels where it could be used for any amount of certificates per domain.


#7

yeah rate limit is only for beta stages


#8

You can always combine them into a single certificate.


#9

We will always have some rate limits in place to help mitigate excessive use, but they will probably become somewhat more relaxed over time.


#10

cheers @jsha

you’ll need to formally document those rate limits on the documentation and/or web site too :slight_smile:


#11

kelunik, I don’t think you are correct. One certificate per domain, with no wildcards or virtual or parked domains. Can someone else confirm that I am correct?


#12

You can issue certificates for multiple domains, see https://kelunik.com/, the certificate is valid for www.kelunik.com and kelunik.com using the Subject Alternative Name field. I implemented the protocol in PHP, I should know how issuance works. :wink:


#13

Sorry, when I visit https://www.kelunik.com, my browser cannot find a valid certificate. Can someone else please resolve this question?

I’m pretty sure that LE automatic support is not intended to support virtual domains, even for www.


#14

Fixed, didn’t have www.kelunik.com as server_name so it used the default one (dev.kelunik.com) and served the wrong certificate. As the main domain is not actively in use, I didn’t ever try www., thanks.


#15

I verify the fix, and see the alternate name in the certificate. It is unfortunate that so many webmasters are obtaining separate certificates for example.com and www.example.com. I hope the final automated version of the LE client will handle (or offer to handle) such common situations itself.


#16

I have no get CERT and it is close.


#17

i think LE documentation should just mention that in examples i.e. -d domain.com -d www.domain.com to cover them.


#18

Yes, that is an excellent example that should be provided in the beta client documentation. And the functionality should be included in the final released full automation. Thanks.


Public beta rate limits
#19

I’m running many machines depending on dyndns domains. So now I’m stuck with not getting a cert for them, because all the other customers where faster then me.

“Too many certificates already issued for: xyz.xyz”

Will there be a whitelist for dyndns providers endings, because they’re only giving out subdomains to their customers?

Within the closed beta I didn’t stumble across this problem… And now I’m also unable to renew my cert.


#20

It would be great if the exceptions are not only for dyndns domains but also for huge communities like freifunk.net. There are more than 200 subcommunities each having their own subdomain xyz.freifunk.net and many using their own servers and taking care of their own server infrastructure and thus needing their own certificates.
Right now freifunk.net has already reached the limit of 10 certificates.