ISRG celebrates 10 years of helping build a brighter Internet →

Duplicate Certificate Limit

Voir en Français

לעבור לעברית

使用简体中文阅读本网页。

Last updated: | See all Documentation

Description

All issuance requests are subject to a Duplicate Certificate limit of 5 per week. You should receive an error message like the following from your ACME client when you’ve exceeded the Duplicate Certificate limit:

too many certificates (5) already issued for this exact set of domains in the
last 168 hours: example.com login.example.com: see https://letsencrypt.org/docs/duplicate-certificate-limit

The “exact set” that this error refers to is the set of hostnames requested for this certificate: in this example, example.com and login.example.com. If your certificate is issued for only 1 name, such as example.com, then the “exact set” of hostnames for your certificate would be [example.com]. This rate limit is exceeded when a subscriber requests a certificate for the same “exact set” of hostnames more than 5 times in a single week.

Common Causes

Subscribers who hit the Duplicate Certificate limit often do so while attempting to troubleshoot the deployment of an application or service. Some examples:

If you encounter an error from your ACME client that you do not recognize and attempt to remove and reinstall your ACME client multiple times in the process of troubleshooting the error, you may exceed the Duplicate Certificate limit.

If you delete the configuration data for your ACME client after each failed attempt at installing a certificate, you will hit this rate limit after five failed attempts. It’s best to make a copy of configuration data before deleting it, so you can access previously issued certificates and private keys if you need to.

When troubleshooting or testing the deployment of your applications we encourage you to configure your ACME client to use our staging environment. Rate limits for our staging environment are significantly higher.

Requesting Help

If you’re not sure how to configure your ACME client to use our staging environment or you need some help debugging, we encourage you to request help on our community forum.

Requesting an Override

Overrides are not available for the Duplicate Certificate limit.

Workaround

Revoking the previously issued certificates will not reset the Duplicate Certificate limit. However, if you find that you’ve exceeded the limit and you still require another certificate for the same hostnames you can always request a certificate for a different “exact set” of hostnames. For example, if you’ve exceeded the Duplicate Certificate limit for [example.com] then requesting a certificate for [example.com, login.example.com] will succeed. Similarly, if you’ve exceeded the Duplicate Certificate limit for [example.com, login.example.com] then requesting a separate certificate for [example.com] and another for [login.example.com] will succeed.

Monitoring Rate Limits

We do not offer a way to monitor subscriber rate limits at this time.