Discover how to monitor the current rate limits of Let's Encrypt for your domain and subdomains with our comprehensive guide.

How to check the current state of the rate limits of Let's Encrypt for your domain and subdomains

In the last few days, I had to migrate multiple websites, in which every one of them is hosted under a subdomain of the principal domain. Our domain is example.com and each system is hosted under system1.example.com, system2.example.com ... system8.example.com. Some of the systems were hosted in different root domains, such as example2.com, example3.com, etc.

Since the beginning of the business, to reduce costs we've been using Let's Encrypt as the issuer of the SSL/TSL certificates for each of the subdomains. It has been running in the same way in the last few years, however, after migrating the systems from the other root domains to example.com, I had to create a new certificate for each subdomain, and then an error that I never saw before appeared when I tried to request a new certificate for a subdomain:

Could not issue certificate Let's Encrypt Rate Limit

The thrown exception was caused by a rate limitation imposed by Let's Encrypt when trying to request a new certificate for my subdomain. According to the official limits of Let's Encrypt, a registered domain can issue only up to 50 certificates per week.

Certificates per domain Guidelines Let's encrypt

Obviously this was a problem because all of our websites relied on Let's Encrypt to issue the certificates. Instead of buying a wildcard SSL certificate, I was ordered to just wait until the limit disappeared. So I needed to find a way to know if the limit was already over or the current status of my domain in Let's Encrypt. That's when I found this useful shell script namely Lectl.

Checking all the certificates with Lectl

Lectl is a very useful script that utilizes the crt.sh website to perform these checks, offering various command-line options to customize the search, including filters for expired certificates, sorting by date, and managing the number of results shown. It's particularly useful for administrators and developers who need to monitor the status and validity of SSL/TLS certificates for their domains. It can be used in various environments where monitoring SSL/TLS certificates is necessary. Specifically, it's valuable for web administrators, security teams, and IT professionals who manage websites and need to ensure their domains' certificates are valid and up-to-date. This includes environments like server farms, cloud-based services, and any other platforms where secure web communication is crucial. It helps in checking the issuance and expiry details of certificates by Let’s Encrypt to maintain secure, trusted web connections.

All you need to do is download the lectl script using wget:

wget https://raw.githubusercontent.com/sahsanu/lectl/master/lectl

Or alternatively, if you use curl:

curl -O https://raw.githubusercontent.com/sahsanu/lectl/master/lectl

Once downloaded, run the tool providing as the first argument the domain for which you want to consult the amount of available certificates of Let's Encrypt:

bash lectl domain.com

The duration for the lectl tool to run depends on several factors, including the number of certificates being checked and the response time of the crt.sh service it queries. Generally, if you're checking a large number of certificates or if the crt.sh service is experiencing high traffic, it may take longer to retrieve and display the data. For typical usage with a moderate number of certificates, the tool should complete its tasks in a reasonable amount of time.

Happy coding ❤️!


Senior Software Engineer at Software Medico. Interested in programming since he was 14 years old, Carlos is a self-taught programmer and founder and author of most of the articles at Our Code World.

Sponsors