Too many certificates for SP.GOV.BR

Hi.

I manage the domain setec.sp.gov.br and I’m trying to get an SSL, but I get the “Error creating new cert :: too many certificates already issued for: sp.gov.br” message.

The problem is that, for government we have a suffix “sp.gov.br” per state and the domain looks like a subdomain “setec.sp.gov.br”. Thus the whole state of Sao Paulo is getting (or trying to get) a certificate for the same domain.

Could you help me out, please?

This has come up before:

Unfortunately, solving this requires the cooperation of an organization like PRODESP, NIC.br or CGI.br; as of the last time that thread was updated, they were hard to contact. :frowning2:

Hi again.

I’ve read that discussion, and my question, now, is: just add the sp.gov.br domain to the public suffix list is enough to “fix” this issue?

I know it’s a little bit hard, but if it does, I’ll go after them to get this included.

We have the suffixes
uf.gov.br and uf.leg.br
where uf stands for the state. And I’ve seen that all the states .leg.br are included in the list.

Hi @pmoreira,

It would indeed fix this problem if sp.gov.br were added to the public suffix list (though only for São Paulo state; really, every UF-level subdomain of gov.br ought to be added to the PSL). [I noticed that you’re aware of this because of your leg.br example.]

In response to the previous thread that @mnordhoff mentions, I wrote a note in Portuguese describing the problem and the reasons why subdomains of gov.br ought to be listed on the PSL (at least two states have already had rate-limit problems—São Paulo and Minas Gerais). This ended up getting sent to several people, but none of them has replied. I have also been trying to get a contact at CGI.br to raise this question with them, but we have also not gotten replies over there.

Listing domains on the PSL is easy and free, but the request is supposed to come from a “responsible party”, and that’s the trouble in this case. Domains that refer to subdivisions of a country are an example of an intended use featured right on the PSL home page, so I don’t see any question that the PSL maintainers would view the request as appropriate.

If you’d like, I’m happy to forward you a copy of my e-mail (either for your reference or, if you find it persuasive, so that you can forward it to other contacts). Também falo português do Brasil e pode escrever ou em português ou em inglês conforme quiser. Meu endereço é o meu nome de usuário desse fórum mais @eff.org.

1 Like

Hi @schoen and @mnordhoff

I have a great news!! According to Frederico Neves, who is the managing director of technology in Registro.BR (a division of CGI.BR), he’s sent a patch in a pull request to include, among other things, the uf.gov.br for all states in Brazil.
https://patch-diff.githubusercontent.com/raw/publicsuffix/list/pull/464.patch

So, as soon as this pull request is merged into the master branch, and the list is updated, I’ll bre able to list setec.sp.gov.br as a unique domain, right?

Thank you both for helping me out.

That’s amazing. You got much further with this than the last three other people who tried to make this happen, and very quickly.

Hopefully the PSL maintainers will approve it. There is still a review and confirmation process, but it does seem like a clear case of what the PSL was intended for, considering that one of their own examples of a subdomain that ought to be listed was k12.ma.us (schools in the U.S. state of Massachusetts).

When PSL updates happen, there is a delay for Let’s Encrypt to import them, but I believe they are commonly imported every few weeks. As I work with some people involved in that process, if you let me know when the PSL has updated, I can ask them when the next PSL import will happen and encourage them to do it reasonably promptly.

1 Like

Sure will do, Seth. Thank you very much for helping me out through this.

I just mentioned to my other contacts (who apparently know Frederico Neves) that this DNS authentication step (creating the _psl.gov.br DNS entry to confirm the request)

will have to happen before the request is accepted. You could feel free to pass this information along as well.

I suspect it would also help to post something in the PR discussion explaining what these domains are used for.

1 Like

Okay!! I’ll let Frederico know about this as well.
Thank you again

As a moderator I also removed your telephone number from your most recent post because it was added as part of your e-mail signature, which I think you probably didn’t intend.

1 Like

Yes… I forgot to erase it. Thank you!

@schoen
Hi!!
It worked!! The list https://publicsuffix.org/list/public_suffix_list.dat is updated with all uf.gov.br !!!
Can you ask, please, when is the next update in let’s encrypt with this data?

1 Like

Hi @pmoreira,

I'm super glad to see this was resolved! Excellent work everyone!

We rely on the publicsuffix-go library, which needs to be updated with the latest publis suffix list data. Once that library has updated, we can update Boulder & deploy it to production. This typically takes 1-2 weeks depending on when the various required parts get done.

I checked publicsuffix-go and the current version hasn't "autopulled" the uf.gov.br entry (unless I missed it). I'll keep an eye on that and try to turn around support in Let's Encrypt as fast as possible. I'll update this thread as progress continues.

2 Likes

The publicsuffix-go library was updated. The master branch of Boulder will be updated to use it when PR #2814 is merged. All that will remain after that is for this version of Boulder to be deployed to production (I’d estimate this for June 22nd, but it may slip if something comes up between then and now).

3 Likes

I’ve seen that this PR #2814 was merged into master. Is that correct? The estimate for June 22nd still remains?

@pmoreira - That’s correct. The code in master hasn’t been deployed to staging or prod yet. It should be deployed as part of June 22nd’s release but I will confirm in-thread when it happens. You can also follow http://status.letsencrypt.org/ for releases. The status updates include a link to the commits that are included.

1 Like

Hi @pmoreira,

Good news - the required Boulder version is now live in production. You should be able to issue certificates for sp.gov.br and the rate limits will be calculated based on that domain being a public suffix. Please let me know if you still encounter the “Too many certificates” rate limit for subdomains of sp.gov.br.

@pmoreira, @schoen Thanks again for your patience & involvement getting this sorted out!

2 Likes

Great News @cpu @schoen @mnordhoff

It’s ok now. I was able to issue the certificate successfully! I hope this work helps out everybody in Brazil government!

Thank you all a lot for all the help and patience!

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.