Cannot create certificate on Synology

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: domo.occd.be ; syno.occd.be ; occd.cloudns.ph

I ran this command: create certificate in the security tab

It produced this output: "Le nombre de maximum de demande de certificat est atteint pour ce nom de domaine"

My web server is (include version): Apache 2.4 on Web Station

The operating system my web server runs on is (include version): Synology DSM 7.0.1

My hosting provider, if applicable, is: One.com for occd.be

I can login to a root shell on my machine (yes or no, or I don't know): yes but I am not used to it

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): DSM 7.0.1 (text editor)

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): ??

Notes: I just updated DSM. Before updating (DSM 6.??) I had another error, something like "No response from distant server"
I use couldns for dynamic dns and in my One.com control panel I set up two CNAME from domo.occd.be and syno.occd.be pointing to occd.couldns.ph
Ports are open and the web site works just fine

1 Like

It looks like the domain name occd.cloudns.ph is rate limited. Many people issue subdomains for the cloudns.ph and you are affected by them. You should contact that provider to request a Rate Limit Increase from Let's Encrypt. Your message is a little different from the docs but I am guessing that is a language translation issue. The limit is:

The main limit is Certificates per Registered Domain (50 per week). A registered domain is, generally speaking, the part of the domain you purchased from your domain name registrar. For instance, in the name www.example.com, the registered domain is example.com. In new.blog.example.co.uk, the registered domain is example.co.uk. We use the Public Suffix List to calculate the registered domain. Exceeding the Certificates Per Registered Domain limit is reported with the error message too many certificates already issued, possibly with additional details.

See this Let's Encrypt page for more details

I tried looking up that name on crt.sh but there were so many I could not get a complete list. There is not much you can do except try again and hopefully a new spot becomes available. This will affect you on future renewals so the long-term solution is for the provider to request a rate limit increase. This is not just affecting you but all people who use that domain. Refer them to the Overrides section in the doc I linked to above

And, welcome to the community @cool

3 Likes

Hello, thanks for the reply!

I understand that my occd.couldns.ph subdomain is limited by the fact that it is a dyndns service...
But what about my other domain occd.be ? I found out that One.com does register *.occd.be so that I can have https on sites hosted there... but it is only 1 cert (looks like 2 as there is a precertificate ??)
I thought that the limit was only for the "main name" domain, not the "other name" in the request form, that's supposed to be a trick to overcome a limit on some domain: "just put/add it in the 'other name' and create another (sub)domain for the 'main name' "

I just retried with both domo.occd.be and syno.occd.be in the "other" field and home.occd.be in the "main" field and it looks like it works...
Does the fact that home.occd.be is a A NAME to my ip change something compared to domo and syno being CNAME to occd.couldns.ph ?

Thanks again for your help

1 Like

The registered domain name (or "apex" name) for each domain name requested in the cert is checked for rate limits. In your first example you had two - occd.be and cloudns.ph. The second one failed the rate limit check so your cert request failed.

By removing that name only occd.be would be checked and you had success.

There are other kinds of rate limits such as only issuing 5 certs each 7 days using the exact same names. This happens when people test using the production cert system or with a poorly setup system.

The crt.sh list will always show 2 "certs" for each request. Yes, a precert and an actual. That counts as just one. Use the Advanced option of deduplicate to see just one of them in the list so easier to count.

No, the difference is you requested a cert with only names ending in occd.be. It does not matter if you CNAME or redirect them elsewhere as far as rate limits go.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.