Is there any way to determine when the ratelimit for a given domain and subdomains will expire, other than manually checking with crt.sh? I have registered several subdomains (for use with different servers in different locations) and I have some more to register. If there was an easy for us to check when instead of ‘trial and error’, it would be great.
No, there isn’t.
If you have troubles with the rate limit, I suggest you add multiple subdomains to a single certificate, if you’re fine with the fact people of subdomain X can read subdomain Y when they look at the certificate. Not that security by obscurity is a good method tho…
Right now the best available way is to search for your domain on crt.sh (You may need to search both
%.example.com). Count backwards the most recent 5 certs that contain your domain, and a week from the earliest of those 5 is when you can issue again. Sorry it’s a bit of an awkward method. We’ve been thinking of ways to communicate this information better.