Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

DDNS Rate Limited #1607

Closed
SysVoid opened this Issue Nov 24, 2015 · 25 comments

Comments

Projects
None yet
@SysVoid
Copy link

commented Nov 24, 2015

The domain ddns.net is being rate limited, which seems weird to me since it's part of a large dynamic DNS provider (no-ip.com).

An unexpected error occurred.
Error: rateLimited :: There were too many requests of a given type :: Error creating new cert :: Too many certificates already issued for: ddns.net
Please see the logfiles in /var/log/letsencrypt for more details.

Can ddns.net be limit free?

@pfigel

This comment has been minimized.

Copy link
Contributor

commented Nov 24, 2015

Rate limits are enforced on a "TLD + 1" level based on the public suffix list (including private suffixes, from how I understand the code).

Dynamic DNS providers can request to be added to this list here.

You could

  • try contacting no-ip and check if they're willing to add their domains,
  • switch to a provider already on the list (at a glance: DynDNS, probably others too),
  • or wait for GA, where rate limits will probably be relaxed a bit, and rush to get a cert 😄
@SysVoid

This comment has been minimized.

Copy link
Author

commented Nov 24, 2015

@PatF I'll contact no-ip.
Thanks!

@SysVoid SysVoid closed this Nov 24, 2015

@kaefert

This comment has been minimized.

Copy link

commented Nov 24, 2015

Hey there! Had the same problem (for a *.no-ip.org domain) and contacted no-ip about it.
They said that they do not allow for SSL certificates to be purchased for their domain names.

They said that the SSL certificate cannot be generated since No-IP owns the domain. In order to issue an SSL certificate you need to be able to confirm you own the domain. Since the domain is owned by No-IP this cannot be confirmed.

So either they have no idea what I was asking for, or they don't want to allow this on purpose.

@SysVoid

This comment has been minimized.

Copy link
Author

commented Nov 25, 2015

@kaefert yeah, they said the same to me.

I'm going to continue with my attempt to get the message through to them.

@marco44

This comment has been minimized.

Copy link

commented Nov 25, 2015

I'm off to duckdns. Luckily, there are very few users using my adress yet.

@kaefert

This comment has been minimized.

Copy link

commented Nov 25, 2015

@marco44 I'm not sure if this is can be a permanent solution, even if you are one of the lucky firsts of your domain.

--> The certificates have a short live span. I think the first time the letsencrypt client tries to renew your certificate it will run into the same problem we are facing now with no-ip domains.

@marco44

This comment has been minimized.

Copy link

commented Nov 25, 2015

duckdns is in the publicsuffix list… I guess it should work. I will know in a few days :)

@kaefert

This comment has been minimized.

Copy link

commented Nov 25, 2015

@marco44 ahh! okey well then of course I guess it should work! 👍

@Mikaela

This comment has been minimized.

Copy link

commented Nov 27, 2015

As a workaround, you could register your own domain and make CNAMEs from it to your dyndns.

For top level domains, only CloudFlare supports CNAMEs with their CNAME flattening, but as they aren't registrar, you must register the domain somewhere else (I personally like Gandi) and point it to them.

@noipcom

This comment has been minimized.

Copy link

commented Dec 4, 2015

No-IP has requested their Enhanced and Free domains be added to public suffix list in publicsuffix/list#64

@rapiertg

This comment has been minimized.

Copy link

commented Dec 4, 2015

Just got this message:

"Hello,

We have added our No-IP free and Enhanced Domains to publicsuffix.org. If you have any further questions or issues please let us know."

@SysVoid

This comment has been minimized.

Copy link
Author

commented Dec 5, 2015

Neat.

@Panderine

This comment has been minimized.

Copy link

commented Jan 12, 2016

Great news! waiting for the good to go ;)

@yookoala

This comment has been minimized.

Copy link

commented Apr 28, 2016

Any news on this issue? I've just checked and the rate limit is still here.

@yookoala

This comment has been minimized.

Copy link

commented Apr 28, 2016

For anyone who are interested:

  1. letsencrypt references public_suffix_list.dat (Public Suffix List Project) for rate-limit exceptions.
  2. noip.com domains are not in public_suffix_list.dat. @noipcom has submitted PR publicsuffix/list#64 and is yet to merge.
  3. @weppos and other publicsuffix contributors there was discussing "what's the best way to proceed given the large amount of requests". There seems to be some progress in the discussion. The pull request has been recently updated according to publicsuffix requests.
  4. We have to wait for publicsuffix to merge that. There is nothing we can do to make it faster.
@yookoala

This comment has been minimized.

Copy link

commented May 26, 2016

The noip.com domains are on the public suffix list now, but when I try to issue a certificate for my no-ip.org domain, I still get the ratelimit error:

Error 429 - urn:acme:error:rateLimited - Error creating new cert :: Too many certificates already issued for: no-ip.org

What can be the problem?

@kaefert

This comment has been minimized.

Copy link

commented May 26, 2016

The letsencrypt developers will need to merge the new changes to the publix suffix list before the rate limits can reflect that.

I've looked a little bit at the code and I think it needs to be merged into this file:
https://github.com/golang/net/blob/master/publicsuffix/table.go

The latest change to that file was from this commit from March 4th:
letsencrypt/net@d58ca66

@yookoala

This comment has been minimized.

Copy link

commented May 26, 2016

Thanks @kaefert. But there will be problem in this approach.

If letsencrypt is going to just use publicsuffix from golang/net, there will be problem. According to @bradfitz in golang/net#15518, they have no intention to keep re-generating their publicsuffix frequently. That means if letsencrypt is using the exact version of publicsuffix in golang/net, it will almost never be updated.

The sensible solution would be either:

  1. To generate the table.go locally instead of using the upstream generated list.
  2. To use the latest publicsuffix dynamically instead of hard-code to the source.
@yookoala

This comment has been minimized.

Copy link

commented May 26, 2016

I think the situation has changed. The problem is no longer about the publicsuffix update, but how certbot can keep up with the latest publicsuffix list. I propose to re-opened this issue and properly handle it. Thanks.

@weppos

This comment has been minimized.

Copy link

commented May 26, 2016

The sensible solution would be either:

To use the latest publicsuffix dynamically instead of hard-code to the source.

That's definitely a more flexible and maintainable approach. Unfortunately, the public suffix library built into go doesn't allow it.

That's why I created https://github.com/weppos/dnsimple-go, see #1479. @jsha is already aware of the lib, I'm open to feedback to make easier the adoption of the lib.

@pfigel

This comment has been minimized.

Copy link
Contributor

commented May 26, 2016

I propose to re-opened this issue and properly handle it.

This is an issue in boulder, not certbot, which doesn't manage rate limits. letsencrypt/boulder#1479 would be the appropriate issue for this.

@gerroon

This comment has been minimized.

Copy link

commented Jun 25, 2018

Can you please increase the rate limits for ddns? I have been trying to get le certs for my home server for months :( I keep hitting rate limits. I already contacted ddns providers. SO I am out of luck, it seems like it would be much nicer if LE just limit us this way.

Waiting for verification...
Cleaning up challenges
An unexpected error occurred:
There were too many requests of a given type :: Error creating new cert :: too many certificates already issued for: mooo.com: see https://letsencrypt.org/docs/rate-limits

@yookoala

This comment has been minimized.

Copy link

commented Jun 25, 2018

@gerroon: I don't think LE should increase the rate limit because of this. If you read the discussions in this post carefully, DDNS are meant to be registered and would be handled differently.

If I'm not mistaken, after letsencrypt/boulder#1479, the boulder will use the live version of publicsuffix.dat through the @weppos's weppos/dnsimple-go library. So you should advice the owner of mooo.com to properly file their DDNS domains under the publicsuffix list. Then LE will properly treat each subdomains in mooo.com a different domain, with separated rate limit.

@yookoala

This comment has been minimized.

Copy link

commented Jun 25, 2018

@gerroon: If they have doubt, please kindly suggest them to read publicsuffix/list#64, the relevant pull request done by No-ip for their DDNS domains.

@gerroon

This comment has been minimized.

Copy link

commented Jun 25, 2018

@yookoala
Thanks for insightful reply. I will follow your recommendations.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.