I read the rate limiting page which talks about 20 / week. So I waited a week and tried again. Same thing. Then I waited another week – same thing.
I looked at /var/log/letsencrypt/letsencrypt.log but didn’t really gain much insight. I see the HTTP code 429 with a message telling me it was rate limited.
I don’t recall setting up any sort of automatic renewal. I had to manually renew other domains of mine. But maybe I did and can’t find them in cron?
Previously, when looking at the log it seemed like I had messed up my certificate directory somehow. I deleted it and tried to get a new cert but am still rate limited.
It produced this output:
An unexpected error occurred:
There were too many requests of a given type :: Error creating new cert :: too many certificates already issued for exact set of domains: gdb-tutorial.net: see https://letsencrypt.org/docs/rate-limits/
My web server is (include version):
nginx 1.10.3 (Ubuntu)
The operating system my web server runs on is (include version):
Ubuntu 16.04.4 LTS
My hosting provider, if applicable, is:
RamNode
I can login to a root shell on my machine (yes or no, or I don’t know):
Yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No
Is it possible that you created a cron job or systemd timer with certbot renew --force-renew (or the confusingly-named obsolete synonym --renew-by-default)?
If I’m reading that correctly, it isn’t every day.
That is me on the weekends trying to renew it through various means.
For example, you’ll see I did my mass renewal of subdomains on 2018-04-07.
Then you see me trying to get just gdb-tutorial.net working on 2018-04-08 and 09 (the next two days).
Then I waited about a week to try again (the 15th).
The entries I do see on that page may have been --force-renew attempts. But on my end, I was still told that I was rate limited and it still failed. Maybe it succeeded on Let’s Encrypt’s end and my corrupted certificate directory was the problem? (And it still told me I was rate limited for some reason?)
I guess my attempts earlier today were ACTUALLY rate limited.
I’ll wait until May 1st, when I have 3 more duplicate certificate attempts available. Then I should no longer be rate limited. At that point, I’ll try with --preferred-challenges http as well.
CRT ID CERT TYPE DOMAIN (CN) VALID FROM VALID TO EXPIRES IN SANs
416942035 Pre cert gdb-tutorial.net 2018-Apr-24 03:16 UTC 2018-Jul-23 03:16 UTC 84 days gdb-tutorial.net
415625234 Pre cert gdb-tutorial.net 2018-Apr-23 15:18 UTC 2018-Jul-22 15:18 UTC 84 days gdb-tutorial.net
414877136 Pre cert gdb-tutorial.net 2018-Apr-23 03:54 UTC 2018-Jul-22 03:54 UTC 83 days gdb-tutorial.net
414148870 Pre cert gdb-tutorial.net 2018-Apr-22 15:19 UTC 2018-Jul-21 15:19 UTC 83 days gdb-tutorial.net
413364258 Pre cert gdb-tutorial.net 2018-Apr-22 03:45 UTC 2018-Jul-21 03:45 UTC 82 days gdb-tutorial.net
[...]
Today is 2018-Apr-29 (and at the time of writing this post 11:00 UTC) so It means you issued a certificate in 2018-Apr-22 03:45 UTC and you could issue a new cert in 2018-Apr-22 04:45 UTC. Also, you issued one more cert in 2018-Apr-22 15:19 UTC so you could issue a new cert in 2018-Apr-29 16:19 UTC (5 hours from now).
Anyway, viewing the time you issued the certs, it seems the certificates are being issued by a cron job because the certs are issued from 4:00 UTC to 5:00 UTC and from 16:00 to 17:00 UTC (if you check above table for example, one cert is valid from 2018-Apr-22 03:45 UTC so you need to add 1 hour to know the creation date 2018-Apr-22 04:45 UTC because LE substracts 1 hour) so that means or you are really constant in the times you try to renew the certs or it is automated by a cron job or systemd timer.
So, I think you problem could be this:
and probably you have messed /etc/letsencrypt/ structure for your domain and you should fix it before trying to issue/renew a cert.
Could you please show the output of these commands?
ls -lR /etc/letsencrypt/
grep '' /etc/letsencrypt/renewal/*
certbot certificates
As the output could be a bit long you could upload it to some service like pastebin.com or if you have installed netcat (nc) you could use it to upload the outputs directly to termbin.com from command line.
I was able to renew it by deleting /etc/letsencrypt/archive/gdb-tutorial.net, /etc/letsencrypt/live/gdb-tutorial.net, and /etc/letsencrypt/archive/renewal.
Thank you everyone for your help. And thanks to Let’s Encrypt and Certbot creators.
