Asus rt-ax88u let's encrypt cert stuck on authorizing

That's great but how ?
what's the process ?
Thank you

1 Like

Please read about Let's Encrypt's issuance rate limits:

Since you have already reached the Duplicate Certificates limit for this name, you won't be able to issue a new Let's Encrypt certificate for this name (by itself) for another week. If you can find the existing certificates saved somewhere on the ASUS device, they should still be valid.


Check your Asus documentation. Or use an Asus forum.

I don't use that device.


Ok,I can wait a week, will it automatically renew ?
Thank you

That's wrong.

You have to find a solution to install the certificate, not only to create a certificate.

So if you do the same first part (with missing second part = installation) the next week again, you will have the same problem.


I have the same issue with my RT-AX86U router and ddns name
What should I do?

1 Like

If the certificates are getting issued by the Asus device software but then not actively used on the device, it seems like the Asus software has a bug (as it's an integrated solution that's failing to act in an integrated way). Is there a way to ask Asus or its community for help with this?

There is one change that recently happened in Let's Encrypt's services (a new intermediate certificate used to issue subscribers' certificates) which could have broken some software if it hard-coded too many assumptions about how Let's Encrypt works. I don't have any evidence that this is relevant to the problem that the two of you are experiencing, but the timing would match up if this worked well in the past and suddenly stopped working recently.


I'll try to ask in Asus forum, I'll report your answer.


The solution is built into the router interface
you basically go to the wan section ,click on ddns ,put in your ddns info
and then click on the get free cert from Let's Encrypt and it does the rest
if you would normally do an firmware update ,it's fine no issues
but with the changeover it 386 series code ,I had to do a wipe and clean install
that when the issues arise
I just get stuck on authorizing,So I did it again ,same
so there you go ,log files say to use the --force renew switch

it looks like it get keep expect x3 based cert, and check against for it. which obviously fail , then discard cert, asking new one.


For the Asus users who might be missing context for that change:

About the last 16,000,000 certificates that Let's Encrypt has issued have used this new intermediate:

Let's Encrypt documentation has always advised client implementers to use the certificate chain provided by the CA (so that intermediates can change like this!), but some clients may have hard-coded references that require or assume the old X3 intermediate, in which case they will be broken from now on until these references are removed.


Then it's an Asus-client bug -> ask in the Asus forum.

1 Like

it can't be fixed from the client side ,has to be done from let's encrypt end

Please learn the basics how Letsencrypt works.

If a client is buggy, it's always a client problem.

PS: You have created new certificates. So it's only a buggy installation problem. Or you use the tool the wrong way.

1 Like

why can't you just remove all the previous certs and leave one,so it can be updated ?
Thank you

... and you didn't read the link about the rate limits.

1 Like

I'm sorry ,I don't understand the process
so I tried it too many times ,I know it's my fault but there has to be a way to remove all
the previous certs and start over,no
forgive me for my lack of knowledge

Let's Encrypt is an almost completely 100% automated system, run by robots. :robot: :robot:

That's what makes it cheap enough to be able to give out certificates at no charge.

In exchange for this, the Let's Encrypt team has greatly limited its ability to make changes for, or on behalf of, an individual user. Almost all policies are enforced by software almost all of the time, and for many of them there are no tools to permit human intervention. For example, to my knowledge there is no interface for resetting a rate limit when someone reaches it by mistake. That is even true if the rate limit was reached due to a bug in someone else's software.

As the rate limit documentation says, the rate limits are there "to ensure fair usage by as many people as possible" because otherwise software bugs like this (or people choosing designs that don't scale well, like re-issuing a certificate every day or every hour) could overwhelm the resources of the Let's Encrypt infrastructure.

I'm very sorry that users sometimes end up getting "punished" for bugs in the tools that they use (which I think is the case here as Asus developers seem to have made an unwarranted assumption in their code, contrary to Let's Encrypt's developer documentation), but not requiring a large support team to deal with investigations and special cases for this every day is really one aspect of what makes it possible for Let's Encrypt certificates to be provided at no cost to the subscriber.

This particular rate limit resets after 7 days; if you need a certificate before that, you could use a paid CA or one of the other free ACME CAs (BuyPass, ZeroSSL), if you can configure the device to request it from them.

1 Like

I understand,Thank you
I can wait a week

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.