Understanding certificate limits

I think I must be misunderstanding something about how the limits on certificate issuance work. As I understand it, I should get 50 per domain per week, however I am being declined even though I am nowhere near that.

When I run certbot, I get this:

Obtaining a new certificate
An unexpected error occurred:
There were too many requests of a given type :: Error creating new order :: too many certificates already issued for exact set of domains: the3guys.com: see https://letsencrypt.org/docs/rate-limits/

On the page linked to, it says:

The main limit is Certificates per Registered Domain (50 per week). A registered domain is, generally speaking, the part of the domain you purchased from your domain name registrar. For instance, in the name www.example.com, the registered domain is example.com

But when I check my previous registration requests, I am still under 50 in the past week.

1 Like

Welcome to the Let's Encrypt Community, James :slightly_smiling_face:

I just completely overhauled the Rate Limits page, but it hasn't been merged yet.

This is the limit you're hitting:

Renewals are treated specially: they don’t count against your Certificates per Registered Domain limit, but they are subject to a Duplicate Certificate limit of 5 per week. Note: renewals used to count against your Certificate per Registered Domain limit until March 2019, but they don’t anymore. Exceeding the Duplicate Certificate limit is reported with the error message too many certificates already issued for exact set of domains .


This is the new wording:

Message: too many certificates already issued for exact set of domains

Limit: 5 duplicate certificates / 7 days

Hitting this limit is often the result of using the following practices that should be avoided:

  • Deleting valid certificates (and their private keys) when attempting to resolve webserver configuration problems
  • Spinning-up ephemeral instances that acquire new certificates from the CA rather than utilizing an existing certificate

Definitions

Duplicate Certificate

A certificate is considered a duplicate if it contains the exact same SANs as another certificate, regardless of order. Renewal certificates are duplicate certificates.


Fully Qualified Domain Name (FQDN)

An FQDN is a complete domain name consisting of any subdomain names and an apex domain name.


Apex Domain Name

An apex domain name is usually the trailing part of an FQDN registered through a registrar. For instance, example.com is the apex domain name of www.example.com. We use the Public Suffix List to determine the apex domain name for any given FQDN.


Subject Alternative Name (SAN)

Each FQDN that a certificate covers is listed as a SAN in the certificate. A certificate with multiple SANs is sometimes called a unified communications certificate (UCC). Reducing the number of SANs in a certificate reduces the operational complexity associated with using the certificate, resulting in increased performance and reliability.

2 Likes

Ok thanks, I was misunderstanding what was meant by "duplicate" certificate as opposed to certificates on the same domain. As I can just keep making up new subdomains so as to avoid the duplicate rule, that is fine for my debugging purposes (the reason why I keep repeating the same thing over and over).

1 Like

Why not just use the staging environment to save yourself a lot of problems?

This might appeal to you about the staging environment:

The Duplicate Certificate limit is 30,000 per week.

3 Likes

Because I didn't know it existed!

2 Likes

I figured this to be the case.

:grin:

We gotta speak with the advertising department - they need to get the word out ! ! !

LOL

2 Likes

Some people use the staging environment by default to avoid these sorts of problems--would that more guides emphasized this:

2 Likes

When a lot of people read "non-trusted", they run for the door. Perhaps "testing"?

This configuration

or

The configuration

1 Like

Hey folks I think I spoke too soon, the dry run thing doesn't quite do it for me.

I need the certificate files to actually be created so that I can test the stuff I am building properly. Is there some way to make "dry run" create an untrusted/self-signed certificate?
Or should I just be transferring the certificate files between builds?

2 Likes

If I'm understanding the certbot command line options correctly, you're looking for --test-cert or --staging for it to actually install the fake certificate that the staging environment gives you.

2 Likes

To go along with @petercooperjr's suggestion, you need to also use --break-my-certs for certbot to actually install the fake certificates produced by the staging environment.

2 Likes

Thanks to both you! This is what I needed. I think this is what you folks need to work more on explaining/promoting. The dry run stuff is easy to find, this not so much.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.