Let's encrypt max of 20 requests per week

cDGo

Verified User
Joined
Sep 21, 2012
Messages
84
Hi,

I've got a user with many domain pointers.
Let's say 15 pointers.

Suppose I want to start using LE for this user.
Than I think that at least it takes 2 entries per domainname for LE.
So 16 domains in total are 32 entries.
With the max of 20 per week, it sounds like a problem?

How to deal with this?
 
Hello,

Full list of limits can be found here: https://letsencrypt.org/docs/rate-limits/

They allow up to 100 Names per Certificate.

They say:

The main limit is Certificates per Registered Domain, (20 per week). A registered domain is, generally speaking, the part of the domain you purchased from your domain name registrar. For instance, in the name www.example.com, the registered domain is example.com. In new.blog.example.co.uk, the registered domain is example.co.uk. We use the Public Suffix List to calculate the registered domain.


so ... you can issue certificates containing up to 2,000 unique subdomains per week.
 
Sorry to necro this old thread, but I'd like to ask how to most cleanly circumvent this restriction on a one time basis.

Would it be safe to simply remove the file `/usr/local/directadmin/data/admin/letsencrypt_rate_limits/DOMAIN.COM/weekly_domain_count` or more specifically the DOMAIN.COM subdirectory?
 
it's limited from letsencrypt servers side. Just wait and try later.
 
Actually no. In this case it is a Direct Admin limitation, hence why I am asking here.

I think that you should make your own post instead of reviving a 2018 post, so that you can better describe your problem and get a more up to date answer

Perhaps you would want to better us explain why do you think that it is a DirectAdmin limitation, since the block come effectively from Let's Encrypt and not DirectAdmin. If you are talking about the "renewal" part in the UI, you can still force a renewal before the proposed automatic renewal date.
 
Perhaps you would want to better us explain why do you think that it is a DirectAdmin limitation, since the block come effectively from Let's Encrypt and not DirectAdmin.
1643293361326.png


So this limit is controlled by the file at the location I noted above in my earlier reply. My very specific question is if it is safe to delete this dir/file or if there is more at play?

BTW, this is absolutely a DirectAdmin limitation as Let's Encrypt has a limit of 50 in fact.

Perhaps I should indeed ask in the Admin forum as this is likely more of an admin issue ... but then in theory everyone here is administering a DA install, so ....
 
That only a webpage label, that is explaining you the limit, it is not DirectAdmin who apply the limit, it only count.

As someone else told you, it is Let's Encrypts Server that apply the rate limitation, not DirectAdmin :)

PS: To answer your original question, no, deleting this file will not circumvent this restriction. (Since the block is done from Let's Encrypts side)
 
As someone else told you, it is Let's Encrypts Server that apply the rate limitation, not DirectAdmin
I am afraid that you are simply mistaken. If you actually read what I wrote, you would realize this.
Thanks anyways!
 
We tried to help you and explain you that the limitation is NOT happening on your server, but on the REMOTE server of let's encrypts.
Then explain please why this file exists on MY server and it's purpose, since one of us clearly does not understand it seems.

/usr/local/directadmin/data/admin/letsencrypt_rate_limits/DOMAIN.COM/weekly_domain_count

Here is some additional reading material which leads me to believe that this file is what is preventing requests to Let's Encrypt ... https://www.directadmin.com/features.php?id=2975
 
Then explain please why this file exists on MY server and it's purpose, since one of us clearly does not understand it seems.

/usr/local/directadmin/data/admin/letsencrypt_rate_limits/DOMAIN.COM/weekly_domain_count

Here is some additional reading material which leads me to believe that this file is what is preventing requests to Let's Encrypt ... https://www.directadmin.com/features.php?id=2975

Hmmmm, that is new.

Alright, you get a point (you were right, and I was wrong, honest thanks for the schooling), as it does seem that DirectAdmin has implemented a check to prevent you from hitting let's encrypt limit repeadly which I would assume is more punitive than a simple warning from your DA console.

Reading the document you showed me, it clearly state that :

DISABLE
You can fully disable the DA limit enforcement by setting:

/usr/local/directadmin/directadmin set letsencrypt_max_requests_per_week 0
service directadmin restart
 
Hi @arbours yes, thank you for pointing out that I could disable the rate limit, but that was not my question. If that was what I wanted to do I would have simply done so.

You edited your previous response, but in response to it I simply threw caution to the wind and deleted the directory in question ... and the SSL certificate was issued immediately. So again, this is not a limit set by Let's Encrypt as I have said consistently.

I needed to know if deleting that dir/file would cause any issues, but I suppose that I will find out the hard way if it does. But for now, it solves the issue at hand.
 
My edited part was to thank you for pointing out a new features that was introduced in 1.62.

IMO: You shouldn't had deleted the file, if you were looking for a one time fix, it would had been better to disable the check, by setting letsencrypt_max_requests_per_week to 0, do the certificate request, and then re-enable it (or simply increase the limit), so that you can keep the current rate hitting protection in place, without deleting anything.

LetsEncrypt has a rate limit of 50 requests per week, per main domain. https://letsencrypt.org/docs/rate-limits/

DirectAdmin already had this directadmin.conf option: letsencrypt_max_requests_per_week=100 but it's now been changed to 200, and will now enforce the limit: letsencrypt_max_requests_per_week=200

In others words, the limit from DirectAdmin is greater than the 50 max request per week per main domain, because it is global and probably protect again dos abuse.

As stated on Let's Encrypt website :

The main limit is Certificates per Registered Domain (50 per week). A registered domain is, generally speaking, the part of the domain you purchased from your domain name registrar. For instance, in the name www.example.com, the registered domain is example.com. In new.blog.example.co.uk, the registered domain is example.co.uk. We use the Public Suffix List to calculate the registered domain. Exceeding the Certificates Per Registered Domain limit is reported with the error message too many certificates already issued, possibly with additional details.

You can create a maximum of 300 New Orders per account per 3 hours. A new order is created each time you request a certificate from the Boulder CA, meaning that one new order is produced in each certificate request. Exceeding the New Orders limit is reported with the error message too many new orders recently.

You can combine multiple hostnames into a single certificate, up to a limit of 100 Names per Certificate. For performance and reliability reasons, it’s better to use fewer names per certificate whenever you can. A certificate with multiple names is often called a SAN certificate, or sometimes a UCC certificate.

Renewals are treated specially: they don’t count against your Certificates per Registered Domain limit, but they are subject to a Duplicate Certificate limit of 5 per week. Exceeding the Duplicate Certificate limit is reported with the error message too many certificates already issued for exact set of domains.

Now, when you run a shared hosting server, you may run into these special rate limit, LE say that you shouldn't but I already ran into them:

You can create a maximum of 10 Accounts per IP Address per 3 hours. You can create a maximum of 500 Accounts per IP Range within an IPv6 /48 per 3 hours. Hitting either account rate limit is very rare, and we recommend that large integrators prefer a design using one account for many customers. Exceeding these limits is reported with the error message too many registrations for this IP or too many registrations for this IP range.

You can have a maximum of 300 Pending Authorizations on your account. Hitting this rate limit is rare, and happens most often when developing ACME clients. It usually means that your client is creating authorizations and not fulfilling them. Please utilize our staging environment if you’re developing an ACME client. Exceeding the Pending Authorizations limit is reported with the error message too many currently pending authorizations.
 
Back
Top