by Charles Oropallo | Oct 18, 2025 | Do-It-Yourself
If you secure many sites with free Let’s Encrypt SSL, you may hit a wall. Suddenly, certificate requests stop cold. One day everything works. The next, you see rate-limit errors and wonder what happened.
Here’s the thing. Let’s Encrypt secures over 350 million websites with free SSL. To keep things stable and safe, they enforce strict rate limits. These limits can surprise even seasoned developers. They bite hardest when securing many domains or subdomains at once.
Understanding these limits prevents headaches. It also keeps your sites secure and your business running. I’ll explain what the limits mean. I’ll share five practical steps to avoid SSL issues before they happen.
What Are Let’s Encrypt Rate Limits?
Think of Let’s Encrypt rate limits like a busy restaurant. It can serve only so many guests each hour. They are not there to hassle you. They ensure fair access and protect the system.
The key limit is 50 certificates per registered domain every 7 days. “Registered domain” means your eTLD+1, or main domain. If you own example.com, all subdomains share that weekly pool. That includes www, blog, and shop subdomains.
That’s not the only limit. You get 5 failed validation attempts per domain per hour. Repeated failures trigger a temporary lockout. Common causes include DNS or firewall issues. There’s also a duplicate certificate limit of 5 per week. Renewals do not count against the 50-certificate quota.
Account creation is limited too: 10 accounts per IP every 3 hours. This prevents abuse through mass accounts. It can also affect legitimate teams that need several accounts.
Step 1: Use Wildcard Certificates for Multiple Subdomains
Here’s your first defense against rate limits. Use a single wildcard certificate, not many subdomain certificates. One wildcard covers all subdomains under your domain.
A wildcard for *.example.com secures www, blog, shop, and new subdomains. You issue only one certificate. This slashes issuance volume and stays within Let’s Encrypt limits.
Even better, a single certificate can list up to 100 domains. Managing many brands? Combine domains into fewer certificates. One cert can cover yourcompany.com, .net, and .org.
Look at your setup. Are you requesting one certificate per subdomain? If so, you burn limits quickly. Switching to wildcard certificates is often the top fix.
Step 2: Test in the Staging Environment First
Before deploying live, test in Let’s Encrypt’s staging environment. It’s a safe practice kitchen. Mistakes don’t affect customers.
Staging has relaxed limits: 50 new registrations per IP per 3 hours. Production allows only 10. Use staging to test SSL, fix DNS, and refine deployment.
Many teams skip this step in a rush to go live. That’s when rate-limit problems strike. You issue, it fails, you retry, and hit five failures. Now you must wait.
Follow this rule. Do not issue a production certificate until staging succeeds. Spend 15 extra minutes. It could save days later.
Step 3: Implement Protective Safeguards
Smart hosting platforms add safeguards to prevent runaway certificate requests. You should do the same.
Many platforms lock SSL provisioning after three failures. They stop before Let’s Encrypt’s limit of five. That buffer prevents retry loops and protects weekly limits.
If you manage SSL yourself, add similar safeguards. Monitor requests per domain and per week. Create alerts near the limits. Add automatic delays between retries.
Do not rely on manual steps. SSL issues feel urgent, and pressure creates mistakes. Automation removes human error in Let’s Encrypt rate-limit management.
Step 4: Monitor and Space Out Certificate Requests
If you manage many sites or a SaaS, timing matters. Be strategic with certificate requests. Avoid securing everything at once.
Let’s Encrypt allows 10 certificates per IP every three hours. Migrating dozens at once? Pace your requests. Spread them over days, not one afternoon.
Keep detailed logs of issuance times and domains. This is essential for weekly limits. Know exact counts for each domain over seven days before requesting more.
Use a spreadsheet or database to track issuance dates, renewals, and limit usage. Seeing requests visually helps avoid accidental Let’s Encrypt limit hits.
Step 5: Fix Root Causes Before Retrying Failed Requests
This might be the most important step. When provisioning fails, do not retry immediately. The seven-day window also tracks failed attempts per domain.
Instead, find and fix the root cause. Common causes include DNS mistakes, blocked HTTP validation, or domain verification issues. Retrying without fixes only wastes your limits.
Some common issues to check when certificates fail:
- DNS records pointing to the correct IP address
- Firewall rules allowing HTTP validation on port 80
- Web server configuration properly handling validation requests
- Domain ownership verification working correctly
Follow this rule of thumb. Wait at least an hour between failures. Do not retry until you fix the specific problem. Many providers recommend this. It prevents accidental lockouts.
What Happens When You Hit Rate Limits
Despite your best efforts, you may still hit limits. When it happens, wait for the window to reset. The main certificate limit resets after seven days.
While you wait, consider alternatives. Issue wildcard certificates where missing. Consolidate domains into fewer certificates. For critical needs, consider a commercial CA as a temporary last resort.
Most important, learn from the incident. Review what happened. Update processes to prevent repeats. Confirm your safeguards work properly.
Remember, Let’s Encrypt rate limits keep the service stable for everyone. Follow the five steps. Use wildcards. Test in staging. Add safeguards. Monitor usage. Fix root causes early.
The key is proactive planning, not reactive troubleshooting. With preparation, you can keep sites secure without hitting these limits.
by Charles Oropallo | Jan 17, 2025 | Security, Technical Help
Recently, I encountered an issue while attempting to renew an SSL certificate for one of my domains, (let’s call it) testdomain.com, using Let’s Encrypt on a server running Virtualmin on Debian 12. The process was more complicated than I expected due to a small oversight that many others could easily make. This article details my experience, the errors I encountered due to Let’s Encrypt rate limits (which I didn’t know existed), and steps to avoid or resolve such issues.
The Problem: Let’s Encrypt Rate Limits for Failed Authorizations
A padlock that shows with an encrypted site using https in some browsers.Let’s Encrypt provides free SSL certificates for securing websites. However, it enforces rate limits to ensure fair usage and prevent abuse. While attempting to renew the SSL certificate for testdomain.com, I discovered that the DNS settings were not pointed to my server, causing repeated failed validation attempts. By the time I fixed the DNS settings, I had hit Let’s Encrypt’s rate limit for failed authorizations.
This limit restricts requests for the same domain to 5 failed attempts per hour. Once you hit this limit, you must wait for the cooldown period to expire before trying again.
How the Error Appeared in Virtualmin
In the Virtualmin interface, I attempted to renew the certificate by navigating to:
- Virtualmin > Server Configuration > SSL Certificate
- Clicking on the Let’s Encrypt tab
- Ensuring the domain and subdomain (e.g.,
testdomain.com and www.testdomain.com) were selected
- Clicking the Request Certificate button
The renewal process failed with an error that Virtualmin reported as “an unknown issue.” Upon further investigation, I found the detailed error logs in the Let’s Encrypt log file located at:
/var/log/letsencrypt/letsencrypt.log
From the log, I saw this message:
urn:ietf:params:acme:error:rateLimited :: There were too many requests of a given type :: too many failed authorizations (5) for "testdomain.com" in the last 1h0m0s, retry after [time].
Understanding Let’s Encrypt Rate Limits
Let’s Encrypt enforces several types of rate limits. Here are the key ones:
- Failed Validation Limit:
- 5 failed validations per domain per hour.
- This applies to any validation failure, such as DNS misconfigurations or inaccessible
.well-known/acme-challenge directories.
- Duplicate Certificate Limit:
- 5 identical certificates per week.
- If you request the same set of domains repeatedly, you’ll hit this limit.
- Certificates per Registered Domain:
- 50 certificates per registered domain per week.
- All subdomains count toward this limit.
- Account-Level Requests:
- 50 certificates per account per week.
These limits are described in detail at Let’s Encrypt’s rate limit documentation.
Diagnosing the Problem
If you encounter a similar issue, here are the steps to diagnose and resolve it:
1. Check DNS Settings
- Ensure the domain’s DNS A records correctly point to your server.
- Use tools like
dig or online DNS propagation checkers to verify.
2. Verify Webroot Accessibility
3. Examine Let’s Encrypt Logs
4. Check Cooldown Period
- If you’ve hit the rate limit, the log will indicate a
Retry-After time in UTC. Convert it to your local timezone to determine when you can retry.
5. Dry Run Your Request
Steps to Avoid Future Issues
1. Ensure DNS Settings Before Requesting Certificates
- Double-check that DNS records point to the correct server and have propagated globally before initiating an SSL request.
2. Test Webroot Configuration
- Verify that the
.well-known/acme-challenge/ directory is accessible for all domains you’re requesting.
3. Use the Dry-Run Option
- Always test with
--dry-run before making a live request to avoid hitting limits.
4. Automate Renewals
- Virtualmin and Certbot support automated renewals. Ensure the cron job is configured correctly and DNS remains stable.
5. Avoid Forcing Duplicate Requests
- Options like
--duplicate and --force-renewal can lead to unnecessary requests. Only use them when absolutely necessary.
Conclusion
Hitting Let’s Encrypt’s rate limits can be frustrating, but understanding the causes and solutions can save time and effort. By checking DNS settings, verifying webroot accessibility, and using dry runs, you can prevent failed authorizations and avoid cooldown periods.
If you’re using Virtualmin, remember to check the Let’s Encrypt logs for detailed error messages, and plan your certificate renewals carefully to stay within the rate limits. Hopefully, my experience with testdomain.com helps you navigate and prevent similar issues.
As always, proactive testing and attention to detail go a long way in maintaining a secure and smoothly running server.
by Charles Oropallo | Nov 12, 2020 | Do-It-Yourself, Technical Help, The CW Corner, Website Development, Website Updates, WordPress
Sometimes in a WordPress website an issue develops where when loading images into media library, only a blank thumbnail shows. It appears a space is created in the database for the picture but there is no content in it.
After testing compatibility of plugins, themes, php, etc., the problem persisted.
To resolve this, one can navigate here logged into WordPress as an administrator:
Go to Dashboard > Settings > Media
Make sure the correct default file path is showing there. When troubleshooting this issue on a site that was unable to upload media files, the file path was shown as:
/home/username/domains/thedomainname.com/private_html/wp-content/uploads
Note that the “username” and “thedomainname.com” in the above and below path examples will be the Linux username and the actual site domain name respectively that you are troubleshooting.
The fix
When this path was removed, the image file upload worked normally again and the problem appeared to be solved.
Possible Reasoning or Causes
In the DirectAdmin path structure, there are two places the website’s servable coding (like WordPress or HTML sites or Joomla, etc.) might be stored:
/home/username/domains/thedomainname.com/public_html
or
/home/username/domains/thedomainname.com/private_html
The “public_html” folder is where DirectAdmin normally places the website’s code (again, referring to all the files and programs that make up the actual WordPress or HTML or Joomla site’s coding, etc.).
The “private_html” folder is where DirectAdmin normally tries to place the website’s code when its content is encrypted. That’s why there is an option in DirectAdmin’s site control panel that allows one to “Use a symbolic link from private_html to public_html”. This option allows for using the same data in http and https.
The suspicion here is that a setting got changed or an update occurred causing the WordPress system to use the private_html setting when the site resides in public_html. Removing the file path from the settings forced WordPress to use where the system actually defaulted to – which cleared the problem.
We may never know how the setting actually got bunged up, but it is an easy fix once it is.
by Charles Oropallo | Feb 5, 2020 | Do-It-Yourself, Email, Internet, Monadnock Shopper News, Passwords, Security, Shopper News, The CW Corner, Website Development
I’ve written several articles about specific scams that are occurring on a regular basis on the Internet. They seem to subside for a short time – a very short time – and then a wave of them happens again.
One of the worst – as far as I am concerned – are the ones where the email recipient is being told they must verify their email. These have some common traits with most Internet scams:
1) A sense of urgency – they want you to take care of this immediately
2) A time limit – they give you within 24 hours to act
3) A threat – they tell you your email will be locked.
The first thing you have to understand is that nearly everyone gets these on occasion. I have received them myself in which they are made to look like they are from CharlesWorks. So when our clients get these they tend to become very worried very quickly.
I can’t stress enough that most legitimate companies will not send out messages like these. To fall prey to these can be a real nightmare. With access to one’s email these days the bad guys can wreak havoc in one’s life. The worst cases are called identity theft!
Don’t be the unfortunate one who falls prey to these scammers. If you have been “notified” of something serious – call your provider up and speak with a representative. Just like at my company – it’s a lot easier for us to allay your fears than to have to try to clean up the mess that can happen with compromised accounts.
by Charles Oropallo | Oct 2, 2019 | Internet, Monadnock Shopper News, Security, Shopper News, The CW Corner, Website Development
Website visitor safety is extremely important. I’ve mentioned terms here before like SSL, encryption, security and so on. These involve that little green or grey lock in front of the web address in your browser. Clicking on that tells you whether the encryption is valid and what site it’s issued to.
Providing encryption was traditionally expensive for website operators. However, it can be had for free these days. There’s no reason not to have it.
Encryption refers to a method on website servers that helps ensure you are actually on the website you think you are on. This greatly reduces the risks of fraud.
Ripping you off is a top priority for many nefarious individuals and organizations on the web. One method is tricking you into giving your credit card or other personal information on a “fake” site or web page. These pages often look exactly like those of your bank’s or credit card company’s or even your email’s login pages.
There’s usually a small one-time charge for initial setup. Website owners should check with their hosting company or web developer to ensure website encryption (SSL) is included in their monthly hosting at no extra charge. If need be, it’s worthwhile to move to a company whose hosting provides this.
European Union General Data Protection Regulation Compliant