Automation and renewal of certificate

My domain is:
I ran this command:
kubectl apply -f ./manifests/cert-manager/03-cert-manager-ikip-dev-cert.yaml
It produced this output:
Failed to create Order: 429 urn:ietf:params:acme:error:rateLimited: Error creating new order :: too many certificates (5) already issued for this exact set of domains in the last 168 hours: *

My web server is (include version):
The operating system my web server runs on is (include version):
It was deployed using terraform and kubectl
My hosting provider, if applicable, is:
Azure Kubernetes Services
I can login to a root shell on my machine (yes or no, or I don't know):
I don't know
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
not known

Initially, we tried to get the certificate issued by production server. However, hit the limit mentioned above.
Q1: Is there any way to know how much time left for this limitation to be lifted off?

As the above process didn't work, we have issued the certificate using ACME staging server. However, staging cert is not valid for any browser.
Q2: Is there any way I can modify the browser configuration so that I can visit the application?

In moving forward, we want to use this wildcard cert issued by ACME production server.
Q3: Shall we be facing any issues if we try to re-issue the * using the ACME production server?

Really appreciate your urgent advise on this.


One week from the first certificate you made for that name.

Yes, you can add the root certificate of the staging CA. Use a different browser than your usual one. Staging Environment - Let's Encrypt

If you don't issue duplicates, no. You have to actually save the certificates in permanent storage, not ephemeral volumes.


Thanks very much for the prompt reply.
Just to confirm the staging is a wild card cert.

Q4: So shall we be able to re-order the same wild card in production ACME server?

Q5: Is there any way we can revoke this from staging?

Yes, but you should use one of those you have already.

Yes but revoking doesn't do anything useful for you. If you don't want to use the staging certificate anymore, just stop using it.


That's to be expected. The staging environment is meant to be the primary testing ACME endpoint. It's not some kind of backup environment for when you messed things up on the production environment. Only after everything seems to be working properly on the staging environment, with regard to certificate issuance, you should switch to the production environment.

In your situation, you've hogged the production server too many times, so you're rate limited. This is due to the unnecessary wasting too much resources from Let's Encrypt for no good reason.

Please use one of the previously issued 5 (!!!) perfectly fine production certificates.


Thanks very much once again for the confirmation. I shall re-deploy the certs using the production ACME as soon as the restriction is lifted.
In the meanwhile, trying to understand the limitation of this following error:
Failed to create Order: 429 urn:ietf:params:acme:error:rateLimited: Error creating new order :: too many certificates (5) already issued for this exact set of domains in the last 168 hours: *

Q6: When we use the manifest file to define the cert to renew, will this following be taken as one certificate creation or many?

  - "*"

It's quite literal. It's complaining because you issued duplicate certificates. Don't issue certificates with the same domain names as a valid one you already have.

This depends on your acme client, but * is actually a single SAN. One certificate is enough.

1 Like

As @9peppe said and maybe viewing your cert history would help visualize that.


Thanks. We need just only one wildcard cert to cover the hostnames. Does this mean we shall be able re-order a production ACME cert on the 27th of instant?

1 Like

No, you should use one of the already issued certificates!


The cert is up now. I do appreciate your support in answering the questions and concerns on this. In one word - Epic!

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.