Too many certificates - question

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: *appdomain.cloud

I ran this command: Used cert-manager.io to generate a new cert for "*.<>.dev.*appdomain.cloud"

It produced this output:

Failed to create Order: 429 urn:ietf:params:acme:error:rateLimited: too many certificates (50) already issued for "*appdomain.cloud" in the last 168h0m0s,retry after 2025-05-20 03:16:24 UTC: see https://letsencrypt.org/docs/rate-limits/#new-certificates-per-registered-domain

My web server is (include version): golang api server

The operating system my web server runs on is (include version): rhel-ubi8

My hosting provider, if applicable, is: RedHat OpenShift Container Platform

I can login to a root shell on my machine (yes or no, or I don't know): no

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): cert-manager 1.17

I understand why the limits are in place, and have tried the automated form to request updating the limits and got the message - "No overrides possible". The *appdomain.cloud is used by multiple groups inside our company to host their apps and they are all using cert-manager and letsencrypt issuer to get the SSL certs most of which are already wildcard certificates. These groups may or may not talk to each other, meaning it is hard to co-ordinate across the groups. Couple of help/questions that I have:

1. Is it possible to update the limit in any way?
2. What are the other options available apart from waiting till(retry after)? Note: the error is just an example, we have been hitting the limit more and more recently.

TIA.

When you applied for the rate limit increase which option did you check? Because it is not possible to change the "already issued for exact set of domain" but that isn't the error you showed.

For that error you would use the below and it should not say "No overrides possible".

image2019×1146 182 KB

When you try applying again, please use the full error message which includes your domain name. I just used a sample error message above.

Do you work for IBM (who looks to be the owner of appdomain.cloud)? I think the rate limit request would need to come from the owner of the domain name.

It's probably worth scaling out to use multiple certificate authorities. There are several besides Let's Encrypt that use the same ACME protocol and also offer free domain-validation certificates. You may want to look at some comparison charts put together by the author of Certify the Web and by Posh-ACME.

If appdomain.cloud is used by many unrelated sites, it may also be worth looking at if the owner should get it added to the Public Suffix List, which is mainly about browser cookie security but also is used in Let's Encrypt's rate limit calculations.

Thanks for pointing out the mistake, I will select the right option and fill out the form.

I will look into these options and work out how to get the rate limit request in the system. The public suffix list option seems like something we will have to explore.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.