Can not stop auto renewals

Due to the complexities of our infrastructure traffic routing we must manually renew de certificates in one server and rsync to all others.
The problem is that many times we are getting the rate limit error.

Error creating new order :: too many certificates (5) already issued for this exact set of domains in the last 168 hours: zzzz.com: see https://letsencrypt.org/docs/rate-limits/

There are no CRON jobs renewing certs and renewals have been disabled in snap using:
sudo snap stop --disable certbot.renew but logs keep showing the renewal attempts twice a day at 8:50 and 23:32
Apparently there is a bug in snap Bug #1842258 “snap stop --disable svc with timer doesn't disable...” : Bugs : snapd but I wonder if it applies to certbot renewals and if there is way to stop completely automatic renewals.

Thank you.

1 Like

Hi @estebanavv welcome to the LE community forum :slight_smile:

Also check cron jobs.
If any there, you might still have an old copy of certbot installed.
Two certbots aren't better than one! LOL

3 Likes

Looks like automated renewal is working nonetheless! So manual renewal doesn't actually seem to be necessary :stuck_out_tongue:

This is by the way not really something we can help you with I think.. Your certificates are renewing unnecessarily A LOT it seems and our guess about the WHY is as good as yours..

3 Likes

Dare I say...

An automated use of "the" --force ?!?!?!

[good thing it's October! - scary thoughts abound...]

I will lose sleep over this...
Now we have to find it!

1 Like

Also, you may consider making a hook to copy issued/renewed certs into the separate directory and sync only it rather than whole /etc/letsencrypt/ - in this case, the other servers won't have certbot config and won't be able to accidentally renew any certificates. Or explicitly exclude /etc/letsencrypt/renewal/ directory from the sync and remove it from all instances except the one supposed to renew.

3 Likes

True, the reason why we have it in other servers is for redundancy in case the main one fails.

There is no reason doing this for certbot, because the certificates are renewed in 30 days before the expiration and the renewal job runs twice a day. So you will have ~60 renewal attempts before your certificate expires. And if the fail is not accidental - all cloned instances will produce the same error anyway.
Additionally, you will receive e-mail notification from Letsencrypt if your certificates were not renewed in 20 days, so you will have plenty of time to fix the error.

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.