vancluever
commented
6 years ago Hey @scream314, sorry for the (lengthy) delay on this.
I can't really comment on the policy of Let's Encrypt or any other Boulder CA that you might be using this with.
In regards to certificate semantics, while updating the SAN list would change the certificates on the domain technically, it would not necessarily change things like the certificate's actual subject/common name, or the number of certificate attempts made against any of the other domains in your SAN list, so it makes sense that you may still be running into this sort of error. The only way that I could think of you being able to 100% work around this kind of limit is to break your certificates out into a single certificate per domain.
Also, remember, if you are testing your configuration, it's best to not do this on LE's live servers probably for the reasons that you ran into. As mentioned in the README, make sure to use the staging servers at https://acme-v01.api.letsencrypt.org/directory.
Thanks!
I did some tweaking on my Terraform config yesterday and wanted to continue today. As I issued the first
terraform planit failed with the error in the subject. I am aware of this rate limit, I checked my domain on https://crt.sh, and it shows that I have requested certs for the exact same domains 5 times within a day. What I do not understand is that the first request was at Nov 29 ~09:45 2017 GMT. According to my knowledge I renewed my cert sometime around Nov 30 01:30-03:00 2017 GMT.Why are there these cert requests? Is there any workaround or I MUST wait 7 days? Actually this does not cause any real issues (yet), it is just annoying I cannot do
terraform plan(onlyterraform plan --target=any_resource_but_acme_cert). In theory changing the SAN list (as I am using a few already) would result a different set of domains, so it won't be affected by the rate limit. I already tried it, added a new name to the SANs (actually I wanted to add it a week ago, but I forgot), but as I do aterraform plan --target=acme_cert --out=tf.oit fails with the same error, and the new SAN is not in the "exact set of domains". I guess it fails already during the refresh but I cannot understand why it does not pick up the updated SAN list.