Too many certificates for dynamic DNS service with publicsuffix listing

Hi,

After reading a lot on dynamic DNS service domain names I tried to obtain a (combined) certificate for:
wouter.dynv6.net, wkuit.dynv6.net, wouterkuit.dynv6.net using:

./letsencrypt-auto certonly --manual -d wouterkuit.dynv6.net -d wkuit.dynv6.net -d wouter.dynv6.net

I’m running in manual mode on an Ubuntu 15.10 virtual machine installation (Oracle VM VirtualBox) as my webserver (not really serving anything yet) is running on a Synology NAS running DSM 5.2 (latest update). (I’m aware the beta 6.0 version offers an integrated service, but I can’t use it). I manually complete the challenges and I believe they are successful. However the outcome is always:

Error:urn:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new cert :: Too many certificates already issued for: dynv6.net"

If I run it in test mode it does work.

Based on the discussion from Allow dynamic DNS services to register more certificates:

I selected dynv6.net as a dynamic DNS service as they are listed on https://publicsuffix.org/list/, so should not have an issue with rate limiting for a certain domain. I abandoned my previous (no-ip.org) dDNS service for this as they were not listed. (I tried it first and hit the same problem, then found all the threads here.)

First question:

  • Can I run the LE client from a virtual machine? (I assume yes, as I get a positive result in test mode.)

Main question:
*** Why is it that a dynamic DNS service domain as dynv6.net, that is listed on the Public Suffix List, still hits the rate limit?**

Yes.

The Public Suffix List isn't updated in real-time. The domain in question was added on February 16th, while the last update of the PSL in boulder (Let's Encrypt's CA server) was on February 4th.
The list is updated every few weeks, so this should get resolved sooner or later.

1 Like

Thanks for the confirmation and explanation.
Is there a way to get an update on when the Public Suffix List is updated?
Like is it posted somewhere? Or should I go to github and subscribe there to be updated on a change in that particular part of the code?

You can subscribe to status updates at https://letsencrypt.status.io/, which includes boulder updates being deployed to production (usually once or twice a week). They usually have a changelog, which would mention PSL updates.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.