Accidental re-creation of infra

Help
1

Hey!

We have made a mistake and accidentally re-created some of our intra around 10 times due to some bad erraform provider :smiling_face_with_tear:

Since we have automated certificate provisioning with LE, we re-issues our cert around 10 times (successfully) and then we were blocked by LE for a week.

Unfortunatley we do not have the private keys of any of the previous revisions so we can't really switch back to the latest certificate.

Can you please unblock our domain: xxxxx

Apologies if this is the wrong board.

Take care!

1 Like
2

Hello @tint24, welcome to the Let's Encrypt community. :slightly_smiling_face:

Sorry that is not possible. :frowning:

Please see Rate Limits - Let's Encrypt and Duplicate Certificate Limit - Let's Encrypt

4 Likes
3

Also for future reference please use the Staging Environment - Let's Encrypt for testing.

4 Likes
4

That is NOT an option.

But you do have options to get a cert today:

  • use another free CA
    [LE is NOT the only free CA on the Internet]
    [it is the best! (clearly), but not the only one - LOL]

  • change the set of names in the request
    [add or remove a name from the list]

6 Likes
5

Unless they reissued 5 certs 10 times from the same domain, hitting the max. 50 certs per domain per week limit.

Unless those 9 certs count as renewals :thinking: The exact error message would help, but it probably wouldn't change the outcome.

3 Likes
6

It only "looks" like 10 in the default crt.sh output.
But that is actually only 5 certs.

image
image716×279 17.9 KB

image
image699×156 11.3 KB

4 Likes
7

5 Precertificate and 5 Leaf certificates; which as @rg305 pointed out is only equal to a total of 5 issued certificates. :slight_smile:

3 Likes
8

That is strange because we did around 10 re-creations of our VM that had only one domain configured there. The error we got was:

module.vm_mattermost_setup_mattermost.null_resource.script (remote-exec): An unexpected error occurred:
module.vm_mattermost_setup_mattermost.null_resource.script (remote-exec): Error creating new order :: too many certificates (5) already issued for this exact set of domains in the last 168 hours: xxxxxx, retry after 2024-02-03T01:10:59Z: see https://letsencrypt.org/docs/duplicate-certificate-limit/

Changing to another CA would be a lot of change for us as we have wrapped everything with LE :frowning_with_open_mouth:

@rg305 do you mean to add another domain or switch to www.?

9

^^ 5 ^^

LE won't let you issue more than that [per seven-day period]]

Please explain.
I mean: A globally signed cert is a globally singed cert - they are all created equally - LOL

Either one would work.

4 Likes
10

@rg305 I will try that, thank you!

3 Likes
11

Another workaround is to add another valid hostname (e.g. temp.chat.rso.dev also resolving to the same IP) to your certificate, this will be seen as a new order. You can take it out later once things have settled down.

For potentially ephemeral infrastructure I recommend acquiring certs and storing them either in a persistent volume or a secrets store, with renewal independent from the service that requires them. That way you can recreate your infrastructure as often as you like.

4 Likes
12

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.