I am trying to create a new certificate, but get the following error:
{
"type": "urn:acme:error:rateLimited",
"detail": "Error creating new cert :: Too many certificates already issued for: foo.com",
"status": 429
}
This is unexpected because I thought we were well below our 20 new certs / week / domain. To verify our current count, I looked up our domain on https://crt.sh/ as suggested in the rate limits documentation. I can see that between Monday 4/3 and Wednesday 4/5 (today) that we created 15 certs. About half of these were new certs, and the other half were pre-existing certs that were being renewed.
Since we’ve only created 15 certs this week, shouldn’t I be bellow the 20 certs / week / domain minimum? And shouldn’t the renewing certs not count against my 20 new cert total?
I’m a little confused about how we are hitting the limit!
The rate limits are for rolling periods, not calendar periods. So certificates from up to 168 hours ago count, not just those from this calendar week.
Also, and this is not very clear, but was presumably easier to implement, the renewals do count towards the total, but they don’t get stopped when the per-domain rate limit is reached. So if you do all the renewals first, you can run out before getting new certificates, whereas if you did them last it’d be fine.
Ah, OK. Somehow I read the example as being a hard reset on Mondays rather than a rolling 7 day window from the current date:
We use a sliding window, so if you issued 10 certificates on Monday and 10 more certificates on Friday, you’ll be able to issue again starting Monday.
So according to this example, on the following Monday you'd only be able to create 10 new certs, because the 10 created on Friday are still in the 7 day window. And then on the following Friday you could create 10 more certs. And so on.
That makes it hard to calculate how many certs you could create on a given day. I think a fixed calendar period would be easier to deal with, like every Monday you get 20 certs to create. I'll save that for a different thread though.
For your second point, that is awful! No they don't explain that very clearly!:
To make sure you can always renew your certificates when you need to, we have a Renewal Exemption to the Certificates per Registered Domain limit. Even if you’ve hit the limit for the week, you can still issue new certificates that count as renewals. An issuance request counts as a renewal if it contains the exact same set of hostnames as a previously issued certificate.
We have lots IoT devices auto-renewing their certificates as needed independent of any centralized controlling mechanism. We wouldn't have anyway of making sure new certs get created before the renews suck up all the rate limits! That seems crazy! Renews just shouldn't count against the rate limit. Period. At a certain scale, the renews would always eat up your ability to create new certs...
i was debugging my installation / renewal script, it is (finally) working now, but I am also receiving “Too many certificates already issued”. The last successful renewal (before being blocked) was on april 28th.
does this mean that I can try again on may 6th (7 days after last successful attempt) and it should work?
That seems crazy! Renews just shouldn't count against the rate limit. Period. At a certain scale, the renews would always eat up your ability to create new certs...