Automated Renewal Process - Rate Limit Error


#1

I was under the impression that I set up the automated task to renew my domains, but now that I noticed an SSL cert for a frequently used domain has expired, I went in to try to manually renew after researching a bit. Because the cert has already expired, I’m in a bit of a rush to resolve this. I tried to answer the questions as best as possible below. I did attempt to do some research, but didn’t find one exact answer so I was hesitant to try too many ideas with the possibility of messing up all of my certs.

If I need to renew a single domain at a time or only a few, I’m happy to do that but would appreciate some guidance on how to accomplish this with the letsencrypt.exe commands.

The domain that I initially noticed the expiration: cbmgmt.net

I ran this command: I simply opened an elevated command prompt, navigated to my folder, and ran letsencrypt.exe, it gave me options for new/renewal, and I selected A for renew all

It produced this output: Code 429, content: { type: urn:acme:error:rateLimited, detail: Error creating new cert :: too many certificates already issued for exact set of domains: (14 domains listed, including cbmgmt.net and www.cbmgmt.net - side note: I don’t remember requesting two separate ones for www and non-www)

My web server is (include version): IIS 8.5.9600.16384

The operating system my web server runs on is (include version): Windows Server 2012 R2

I have administrative rights on this server.

Also, wanted to note that all my domains say renew after 2018/1/16, and I thought the automated process ran, but my certificates are expiring anyways.


#2

Hi @mkandy,

You’ve been issuing a new identical certificate every single day:

https://crt.sh/?Identity=%cbmgmt.net&iCAID=16418

Clearly something is wrong with your renewal setup; do you know how it’s renewing automatically and how it’s configured?

Perhaps one of the prior renewals still exists somewhere on your computer and you could find it and use that?


#3

I actually just noticed that myself, not sure exactly whats going on. I have a ton of certs available apparently… guess I didn’t dig in deep enough to notice that.

I don’t know specifics on how its renewing, but I do know the scheduled task is set to run daily. I didn’t think I set it that way, but apparently its set that way, so if it didn’t get set up that way during the automated renewal setup process I must’ve manipulated it.

If I change the automated renewal to run every 60 days, and we removed all the unnecessary certs, will that resolve this issue on your side?

Also, is the automated process supposed to automatically update the websites to use the latest cert or would I have to manually switch it?


#4

If you need me to run any commands that might give you helpful info, I’m happy to do that.

Also, thank you for the quick response and review.


#5

I changed the trigger on the automated task to 9:00AM every 60 days, will that suffice?

I looked at the crt.sh link you sent showing the renewals, and I am confident I did not make any changes to the automated task after my initial issuance of a certificate, so it might be related to the renewal that initiated on 1-17, because that’s when it switched to daily and I don’t believe I made any changes to the automated task.


#6

Hi,

Can you check on your cron (daily work) and show us the output??

(It should like renew instead of certonly or something)

Thank you


#7

This is not a fix to the problem.
That is like…
One of my tires leaks air but only when I drive the car…
Solution: Let me drive the car only once every 60 days.

Let’s find that leak!
If you show the command that you are running we should be able to figure out why and how to fix it in short order.
Now, I don’t agree that you should test for cert renewals every hour - but every 60 days is just as bad (at the opposite end of the spectrum).


#8

Hey @rg305 - thanks for the response. Definitely don’t like leaky tires. But the problem I have is that I set this up months ago initially, so I might be missing a detail in my recollection.

As far as I can remember, I don’t think I manually set anything up. I believe it had the option to automatically renew the certificates, and I thought I elected to do that, and just let it do its thing. I don’t believe I manually put in place the automatic renewal or windows scheduled task, so I can’t speak as to why it suddenly started sending renewal requests.

This is simply a web application server that I upload to, I generally don’t even log on to it and make changes short of deploying a new website in IIS, but I haven’t deployed any new websites to this particular server in months, hence I have not initiated myself a request for any certificates in months. All the requests seem to be from the scheduled task in windows, because they are consistently around the same time every day (9 AM EST).

I’m definitely not going to say its impossible that I screwed anything up, as I said before, my recollection is spotty at best after all this time. It is possible I made the scheduled task if that isn’t something that is automatically set up, but if I did, I don’t recall the specifics in doing it this many months later unfortunately.

And I do want to make sure to be clear, I haven’t sent any commands to letsencrypt.exe since I initially set it up, other than what I did today (which I detailed at the initial post). So this issue wasn’t caused by a command I sent in January to start the daily requests, because I did not give a command in January. It is possible I did something incorrectly in November 2017 when I initially set it up, but that’s too far back to remember the specific command I entered.

It looks like its related to the automated renewal process (windows scheduled task), as it started occurring exactly 3 months after my initial setup when a renewal might be necessary. But again, I can’t remember if I manually set up the scheduled task then set it to daily and delayed it 3 months, or if this task was automatically set up by selecting an option during the letsencrypt process. I’m happy to take responsibility and say it was my fault if that’s the case, just need to be sure that I have corrected the issue and addressed it going forward.

I would think that if it happened during the letsencrypt process it would’ve happened to more than just me and there would be more awareness of this issue, which leads me to believe I did something wrong. The problem is it was so long ago that I don’t recall exactly what I did.


#9

I know my last response was quite long, I will try to keep this one short.

It looks like the scheduled task was sending a command to renew certificates. I will add the command below. Maybe there’s a different command that I should change it to in order to check if I need a renewal and execute only if I do?

Windows Scheduled Task command (action):
C:\LetsEncrypt\letsencrypt.exe –renew --baseuri “https://acme-v01.api.letsencrypt.org/

Can I change the --renew to something else to achieve the desired action?


#10

The task command doesn’t seem to be the problem.

Is there a “cli.ini” or some other ini file in the LE folder?


#11

I don’t see any .ini files in the lets encrypt folder or ProgramData folder.


#12

I can’t find anything in the documentation that would explain or fix the problem.
I would try updating to the latest version and keep an eye on fixes with newer updates.
Hopefully this is something that can be fixed by just updating the version.
Until then, I would set the task to run every 29 days - which would insure that it runs at least 3 times before it was set to expire and sign up for a free cert monitoring service (like: KeyChest.net or Qualys CertView) which will send email alerts when any of your certs are too close to expiring.


#13

Ok, fair enough. I will set it to every 29 days and get a monitoring service.

What am I to do about the dozens of certs I inadvertently generated?


#14

No need to worry.
No on else can use them and they will automatically expire.


#15

Ok. Is there any way to remove them just to keep things simple if I do a lookup in the future? If not, I know I’m just being picky and can deal with it.

Thanks very much for your assistance in this matter, and your timely responses.


#16

Unfortunately no, there is no way to remove them.
They are forever engraved in the history of the Internet.


#17

Ahh yes, a permanent reminder of my error… :sleepy:


#18

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.