Ways to determine when a RateLimit will expire


#1

Is there any way to determine when the ratelimit for a given domain and subdomains will expire, other than manually checking with crt.sh? I have registered several subdomains (for use with different servers in different locations) and I have some more to register. If there was an easy for us to check when instead of ‘trial and error’, it would be great.


#2

No, there isn’t.

If you have troubles with the rate limit, I suggest you add multiple subdomains to a single certificate, if you’re fine with the fact people of subdomain X can read subdomain Y when they look at the certificate. Not that security by obscurity is a good method tho…


#3

Right now the best available way is to search for your domain on crt.sh (You may need to search both example.com and %.example.com). Count backwards the most recent 5 certs that contain your domain, and a week from the earliest of those 5 is when you can issue again. Sorry it’s a bit of an awkward method. We’ve been thinking of ways to communicate this information better.