mehulmpt
commented
1 month ago Same, we're also getting rate limited now
Closed DarthBubi closed 1 month ago
mehulmpt
commented
1 month ago Same, we're also getting rate limited now
Thomas-Tsai
commented
1 month ago Same, still getting rate limited today
cunnie
commented
1 month ago @Thomas-Tsai @mehulmpt :
Please tell me the exact error message you're getting; Let's Encrypt won't let me submit a request without it:
maprangzth
commented
1 month ago @Thomas-Tsai @mehulmpt :
Please tell me the exact error message you're getting; Let's Encrypt won't let me submit a request without it:
- too many certificates already issued for exact set of domain
- too many registrations for this IP
- too many failed authorizations recently
- too many certificates already issued
- too many new orders recently
- too many currently pending authorizations
- none of the above
Hi, @cunnie:
I'm getting rate limited too.
From my logs it's indicated too many certificates already issued for "sslip.io":
traefik | 2024-10-02T06:44:57Z ERR Unable to obtain ACME certificate for domains error="unable to generate a certificate for the domains [auth.127-0-0-1.sslip.io]: acme: error: 429 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rateLimited :: Error creating new order :: too many certificates already issued for \"sslip.io\". Retry after 2024-10-02T07:00:00Z: see https://letsencrypt.org/docs/rate-limits/" ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory domains=["auth.127-0-0-1.sslip.io"] providerName=myresolver.acme routerName=authen-api@docker rule=Host(`auth.127-0-0-1.sslip.io`)FYI, I submitted a rate limit adjustment request for certificates from 3,000-5,000 to 5,000-10,000.
This is their reply:
Depending on the availability of our team, we look at form responses weekly and move the adjustments to production twice monthly. We will do our best to consider your application in a timely manner but we cannot guarantee any timeline. We’ll notify you via email when your application is processed. We reserve the right to reject applications at our discretion.
unreturned
commented
1 month ago @cunnie Hello! Please consider adding sslip.io to the list at https://publicsuffix.org/ to avoid issues with Let's Encrypt certificates.
cunnie
commented
1 month ago @unreturned Thanks for the suggestion.
I've submitted the request, but the Public Suffix explicitly discourages adding a domain to get around Let's Encrypt rate limits. From their PR template:
Third-party Limits are used elsewhere, such as at Cloudflare, Let's Encrypt, Apple, GitLab or others, and having an entry in the PSL alters the manner in which those third-party systems or products treat a given domain name or sub-domains within it.
To be clear, it is appropriate to address how those limits impact your domain(s) directly with that third-party, and it is inappropriate to submit entries to the PSL as a means to work around those limits or restrictions.
cunnie
commented
1 month ago @unreturned
I'm sorry to say that the Public Suffix List has declined my pull request to be included, citing several reasons, the most important being the following, from https://github.com/publicsuffix/list/wiki/Guidelines#validation-and-non-acceptance-factors:
We do not accept entries for use as DNS wildcards, such that e.g. 1-2-3-4.foo.tld resolves as IP address 1.2.3.4. This basically projects the security properties of the IP address space onto the domain name space, and we don't feel that is safe. IP addresses can be dynamically allocated to multiple mutually-untrusting parties; domain names generally are not.
unreturned
commented
1 month ago @cunnie Yes, I read the thread. Nevertheless, thank you for your work.
cunnie
commented
1 month ago @unreturned it was worth trying. Maybe the PSL will change their policy.
cunnie
commented
1 week ago YAY! We got our limit bumped!
Thank you for your patience as we reviewed your rate limit adjustment request(s). We have approved and deployed the following rate limit adjustment that you requested.
Comment from the review team:
Rate Limit Type: too many certificates already issued
Registration ID or Domains: sslip.io sslip.io
New Limit: 5,000 - 10,000
Thanks for being a part of helping make the Web more secure by using our free TLS certificates. Let’s Encrypt is a nonprofit project, with 100% of our funding coming from charitable contributions. If you’d like you learn more about ISRG and our nonprofit work overall, you can do so at: https://www.abetterinternet.org/
While this is an automated email, please feel free to reach out to Sarah McClure at sarah.mcclure@abetterinternet.org should you have any questions about our nonprofit work.
For more information on integrating Let’s Encrypt, including best practices for large implementations, keep reading!
If you have a large integration, please read: https://letsencrypt.org/docs/integration-guide/ and https://github.com/https-dev. If you are onboarding customers using Let's Encrypt certificates, check out our blog post about best practices: https://letsencrypt.org/2019/10/09/onboarding-your-customers-with-lets-encrypt-and-acme.html If you are wondering how many certificates you have used for a domain, you can use: https://crt.sh/ and https://search.censys.io/
If you have any further questions about our rate limits or need another rate limit adjustment, check out our documentation: https://letsencrypt.org/docs/rate-limits/
Or, post on our Community Forums: https://community.letsencrypt.org/
All the best, Let’s Encrypt
Thomas-Tsai
commented
1 week ago Thank you for your efforts, I am very happy to know this news.
Hi there, I just ran into the Let's Encrypt rate limit while requesting a new certificate. Maybe it can be bumped?