AcmeProtocolException: Error creating new order :: too many certificates already issued for exact set of domains

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: www.eventshoppee.com

I ran this command: wacs.exe --target manual --host www.eventshoppee.com --validation fi
lesystem --webroot “XXX” --store pemfiles,certificatestore --pemfilespath “XXX”

It produced this output: [INFO] A simple Windows ACMEv2 client (WACS)
[INFO] Software version 2.0.7.315 (RELEASE)
[INFO] IIS not detected
[INFO] Please report issues at https://github.com/PKISharp/win-acme

[INFO] Running in mode: Unattended
[INFO] Target generated using plugin Manual: www.eventshoppee.com
[EROR] AcmeProtocolException: Error creating new order :: too many certificates
already issued for exact set of domains: www.eventshoppee.com: see https://lets
encrypt.org/docs/rate-limits/

Ran https://crt.sh/?q=eventshoppee.com but it returned 0 rows (while running initial command it failed couple of times due to incorrect parameters but never completed successfully. First time it ran gave this error)

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

crt.sh is a bit backlogged at the moment:

https://crt.sh/monitored-logs

You can see them if you search other CT monitors, though, e.g.:

https://transparencyreport.google.com/https/certificates?cert_search_auth=&cert_search_cert=&cert_search=include_expired:false;include_subdomains:false;domain:www.eventshoppee.com&lu=cert_search

https://sslmate.com/certspotter/api/

Edit: You searched crt.sh for “eventshoppee.com” instead of “www.eventshoppee.com”, so the results would not have included these certificates even if it wasn’t backlogged.

1 Like

Thanks for your reply. Can you please guide on next steps? There is nothing downloaded in permfilesfolder

Hi @RachitTech

you have created 5 identical certificates ( https://check-your-website.server-daten.de/?q=eventshoppee.com#ct-logs ):

CertSpotter-Id Issuer not before not after Domain names LE-Duplicate next LE
987866806 CN=Let’s Encrypt Authority X3, O=Let’s Encrypt, C=US 2019-06-26 15:19:15 2019-09-24 15:19:15 www.eventshoppee.com - 1 entries duplicate nr. 5 next Letsencrypt certificate: 2019-07-03 14:36:34
987865807 CN=Let’s Encrypt Authority X3, O=Let’s Encrypt, C=US 2019-06-26 15:18:45 2019-09-24 15:18:45 www.eventshoppee.com - 1 entries duplicate nr. 4
987860949 CN=Let’s Encrypt Authority X3, O=Let’s Encrypt, C=US 2019-06-26 15:14:23 2019-09-24 15:14:23 www.eventshoppee.com - 1 entries duplicate nr. 3
987823604 CN=Let’s Encrypt Authority X3, O=Let’s Encrypt, C=US 2019-06-26 14:40:41 2019-09-24 14:40:41 www.eventshoppee.com - 1 entries duplicate nr. 2
987817998 CN=Let’s Encrypt Authority X3, O=Let’s Encrypt, C=US 2019-06-26 14:36:34 2019-09-24 14:36:34 www.eventshoppee.com - 1 entries duplicate nr. 1

But: All certificates are wrong, they have only the www domain name.

So you should create one certificate with both domain names (non-www and www).

Good: That’s a new set of domain names, so the current rate limit (one domain name) isn’t relevant.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.