What's issue rate for westus.azurecontainer.io?


#1

Seems LetsEncrypt treat westus.azurecontainer.io as one domain and has a limit on it. One of my new domain got this error:

Error: urn:ietf:params:acme:error:rateLimited :: There were too many requests of a given type :: Error finalizing order :: too many certificates already issued for: westus.azurecontainer.io: see https://letsencrypt.org/docs/rate-limits/

I’m wondering if LetsEncrypt can treat subdomain like mydomain.westus.azurecontainer.io as one and set rate limit for each one of them.


#2

In this case, it happened automatically because azurecontainer.io is on the Public Suffix List, so Let’s Encrypt basically treats it like a TLD for rate limiting purposes. In other words, just like abc.com and xyz.com are separate because com is a public suffix, abc.azurecontainer.io and xyz.azurecontainer.io are separate because azurecontainer.io is a public suffix.

You’d have to talk to Microsoft about updating their Public Suffix List entries. It seems like a good idea, under the circumstances.

Edit: You could also talk to Microsoft about requesting a rate limit increase from Let’s Encrypt. But in both cases, Microsoft has to take action.


#3

Hi @wy193777

you have 56 active certificates.

https://transparencyreport.google.com/https/certificates?cert_search_auth=&cert_search_cert=&cert_search=include_expired:false;include_subdomains:false;domain:www.carboncourts.com&lu=cert_search

And 5 with

https://transparencyreport.google.com/https/certificates?cert_search_auth=&cert_search_cert=&cert_search=include_expired:false;include_subdomains:false;domain:gr2-backend-dev.westus.azurecontainer.io&lu=cert_search

gr2-backend-dev.westus.azurecontainer.io

as domain name, created 2018-09-19 - 2018-09-20. Normally, you should have max. two active certificates per domain name, not 5 in two days.

Do you recreate certificates every day? A certificate is 90 days valide, so you should use one certificate 60 days, then create a new.


#4

Hi,

Just trying to be clear…
Azurecontainer.io is owned by Microsoft… And the sites with westus or eastus etc… is the Microsoft azure area code…

The domain is used by azure aa container defaults.

Thank you


#5

We are experimenting on how to properly use LetsEncrypt with Azure Container Instance. I guess because Azure File Share cannot handle symlink, so every time we launch containers, certbot will request a new certificate. That’s why we consumed 5 certificates in two days.


#6

This is bad and a wrong configuration. The account informations (public + private key + account url) and the certificates (public and private keys) should always stored outside of containers.

So you are able to reuse these files.

There is a limit of 5 identical certificates per week. Create a new certificate, use it 60 days, then create a new. If every user of letsencrypt would create certificates daily (instead of one certificate every 60 days), that would be terrible.


#7

Yes, we understand that. We consumed all certificates by mistake when experimenting it because symlink problem on mounted storage. Certbot not working as expected when the mounted storage cannot handle symlink.


#8

For information, you can use the staging option for experiments: certificates generated on it are NO publicly trusted, but it has higher rate limits, so once you found the suitable configuration, you can generate your real (publicly trusted) certificates: https://letsencrypt.org/docs/staging-environment/


#9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.