Beta feedback and issues (unable to get a working certificate right now)


#1

Hi, here is a “short” feedback report of what i did so far…
If i reffer to “the docs” further down, i’m talking about the documentation located at: https://letsencrypt.readthedocs.org/

First i followed the installation steps in the docs to setup everything and get a certificate via the webroot option (server is running on CentOS 7 with nginx 1.9.x):
letsencrypt certonly --webroot -w /var/www/example/ -d www.example.com

I adjusted the nginx config for the certs and checked the cert in several browsers. Everything was fine and the certificate seemed ok (All my browsers trusted it at least).
The whole process from installation to a working cert took me about 10 minutes and i was very impressed!

Now i tried evaluating my options for automatic renewel…
I first ran the previous command again and it prompted me for renewal… Ok, i checked the docs and decided to use the command with the configuration file stated in the docs:
letsencrypt-auto --config cli.ini

first run it prompted me again… checked the --help pages and read some stuff in the support forum an added the following lines to the config file:
renew-by-default
agree-dev-preview
agree-tos

gave me something like: agree-dev-preview is deprecated…
i removed the line and ran the script again…
Can’t remeber exactly what the error was, but it said something about giving these options a value and i changed the lines to something like:
renew-by-default=true
agree-tos=true
(Not exactly sure about these values) it seemed to work (I did not check the cert in a browser).

After several hours i accessed my domain via browser and was surprised, that chrome was complaining about an unverified cert, coming from “happy hacker CA”… I panicked a little bit, wondering if the server has been compromised. After some reading i noticed, that this cert was used in the closed beta on several occasions… or wherever…

i ran the renewal process again several times and had no success getting a cert other than a happy hacker one. Gave up for this day and continued today…

I tried to run the original command again (without the --config) several times with no success and realized that letsencrypt still used the config file (i put it at: /etc/letsencrypt/cli.ini)

i deleted the file and i still could not get a cert. I checked the folders and deleted the domain folder under “renewal”… Not i got some kind of error messages like: archive folder present.

So i deleted all certs (in: archive, keys, symlinks in live) and domain folders with configs to be sure.
I also realized, that the accounts folder had two subfolders:
acme-v01.api.letsencrypt.org
acme-staging.api.letsencrypt.org

i deleted the “younger” one (acme-staging, which is the server url setting in the config file example in the docs) assuming this could be an deprecated url…

I tried to run the original command again:
letsencrypt certonly --webroot -w /var/www/example/ -d www.example.com

and now i get the error message:
Error creating new cert :: Too many certificates already issued for: xxx.yy

Thumbs up! I messed up… :disappointed_relieved:

Regards,
thiess


#2

As far as I’m aware the renewal part isn’t fully implemented yet - currently most people generally just create a new cert, and replace the old one.

As for the “too many certificates already issued” I’m afraid you’ll just have to wait a few days so that you are allowed to regenerate the correct certificate.


#3

yes, i tried to do the automatic renewal via cron but had to find the right cli “arguments” first, so I would be able to execute it without prompt… Once i got it, i ran into the “happy hacker” issue.
Seems the “happy hacker” certificates counted towards the certificate limit, so i hit the limit of 10 requests pretty fast.
So no more testing for me for another… uhm… 55 days.


#4

The rate limits aren’t thát high. For future reference: for trying out, you’d be wise to use the staging server. See the recently added documentation about this.