Asus rt-ax88u let's encrypt cert stuck on authorizing

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version): asus rt-ax88u

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

updated my router to the new Version 3.0.0.4.386.41249 official
and let's encrypt cert is stuck on authorizing
it say's to add --force to renew it in the logs
I tried to do with certbot in windows but it says too many times
renew date in february 2021
san someone renew it Please
Thank you

bigcid10.ddns.net

Hi @bigcid10

you have created 5 identical certificates - see https://check-your-website.server-daten.de/?q=bigcid10.ddns.net#ct-logs

Issuer not before not after Domain names LE-Duplicate next LE
R3 2020-12-09 2021-03-09 bigcid10.ddns.net - 1 entries
R3 2020-12-09 2021-03-09 bigcid10.ddns.net - 1 entries
R3 2020-12-09 2021-03-09 bigcid10.ddns.net - 1 entries
R3 2020-12-08 2021-03-08 bigcid10.ddns.net - 1 entries
R3 2020-12-08 2021-03-08 bigcid10.ddns.net - 1 entries

Use one of these.

4 Likes

That's great but how ?
what's the process ?
Thank you

1 Like

Please read about Let's Encrypt's issuance rate limits:

Since you have already reached the Duplicate Certificates limit for this name, you won't be able to issue a new Let's Encrypt certificate for this name (by itself) for another week. If you can find the existing certificates saved somewhere on the ASUS device, they should still be valid.

2 Likes

Check your Asus documentation. Or use an Asus forum.

I don't use that device.

2 Likes

Ok,I can wait a week, will it automatically renew ?
Thank you

That's wrong.

You have to find a solution to install the certificate, not only to create a certificate.

So if you do the same first part (with missing second part = installation) the next week again, you will have the same problem.

2 Likes

I have the same issue with my RT-AX86U router and ddns name gdt.asuscomm.com.
What should I do?

1 Like

If the certificates are getting issued by the Asus device software but then not actively used on the device, it seems like the Asus software has a bug (as it's an integrated solution that's failing to act in an integrated way). Is there a way to ask Asus or its community for help with this?

There is one change that recently happened in Let's Encrypt's services (a new intermediate certificate used to issue subscribers' certificates) which could have broken some software if it hard-coded too many assumptions about how Let's Encrypt works. I don't have any evidence that this is relevant to the problem that the two of you are experiencing, but the timing would match up if this worked well in the past and suddenly stopped working recently.

2 Likes

I'll try to ask in Asus forum, I'll report your answer.

3 Likes

The solution is built into the router interface
you basically go to the wan section ,click on ddns ,put in your ddns info
and then click on the get free cert from Let's Encrypt and it does the rest
if you would normally do an firmware update ,it's fine no issues
but with the changeover it 386 series code ,I had to do a wipe and clean install
that when the issues arise
I just get stuck on authorizing,So I did it again ,same
so there you go ,log files say to use the --force renew switch

it looks like it get keep expect x3 based cert, and check against for it. which obviously fail , then discard cert, asking new one.

3 Likes

For the Asus users who might be missing context for that change:

About the last 16,000,000 certificates that Let's Encrypt has issued have used this new intermediate:

Let's Encrypt documentation has always advised client implementers to use the certificate chain provided by the CA (so that intermediates can change like this!), but some clients may have hard-coded references that require or assume the old X3 intermediate, in which case they will be broken from now on until these references are removed.

2 Likes

Then it's an Asus-client bug -> ask in the Asus forum.

1 Like

it can't be fixed from the client side ,has to be done from let's encrypt end

Please learn the basics how Letsencrypt works.

If a client is buggy, it's always a client problem.

PS: You have created new certificates. So it's only a buggy installation problem. Or you use the tool the wrong way.

1 Like

why can't you just remove all the previous certs and leave one,so it can be updated ?
Thank you

... and you didn't read the link about the rate limits.

1 Like

I'm sorry ,I don't understand the process
so I tried it too many times ,I know it's my fault but there has to be a way to remove all
the previous certs and start over,no
forgive me for my lack of knowledge

Let's Encrypt is an almost completely 100% automated system, run by robots. :robot: :robot:

That's what makes it cheap enough to be able to give out certificates at no charge.

In exchange for this, the Let's Encrypt team has greatly limited its ability to make changes for, or on behalf of, an individual user. Almost all policies are enforced by software almost all of the time, and for many of them there are no tools to permit human intervention. For example, to my knowledge there is no interface for resetting a rate limit when someone reaches it by mistake. That is even true if the rate limit was reached due to a bug in someone else's software.

As the rate limit documentation says, the rate limits are there "to ensure fair usage by as many people as possible" because otherwise software bugs like this (or people choosing designs that don't scale well, like re-issuing a certificate every day or every hour) could overwhelm the resources of the Let's Encrypt infrastructure.

I'm very sorry that users sometimes end up getting "punished" for bugs in the tools that they use (which I think is the case here as Asus developers seem to have made an unwarranted assumption in their code, contrary to Let's Encrypt's developer documentation), but not requiring a large support team to deal with investigations and special cases for this every day is really one aspect of what makes it possible for Let's Encrypt certificates to be provided at no cost to the subscriber.

This particular rate limit resets after 7 days; if you need a certificate before that, you could use a paid CA or one of the other free ACME CAs (BuyPass, ZeroSSL), if you can configure the device to request it from them.

1 Like