Cannot renew -- rate limited. Not sure why


#1

Hello,

My server is setup to redirect traffic from http://gdb-tutorial.net -> https://gdb-tutorial.net -> https://www.gdb-tutorial.net through a series of 301s.

I was able to renew www.gdb-tutorial.net’s certificate without trouble.
But I cannot renew gdb-tutorial.net’s certificate.

I read the rate limiting page which talks about 20 / week. So I waited a week and tried again. Same thing. Then I waited another week – same thing.

I looked at /var/log/letsencrypt/letsencrypt.log but didn’t really gain much insight. I see the HTTP code 429 with a message telling me it was rate limited.

I don’t recall setting up any sort of automatic renewal. I had to manually renew other domains of mine. But maybe I did and can’t find them in cron?

Previously, when looking at the log it seemed like I had messed up my certificate directory somehow. I deleted it and tried to get a new cert but am still rate limited.

My domain is:
gdb-tutorial.net (bad)
www.gdb-tutorial.net (good)

I ran this command:
sudo certbot certonly

It produced this output:
An unexpected error occurred:
There were too many requests of a given type :: Error creating new cert :: too many certificates already issued for exact set of domains: gdb-tutorial.net: see https://letsencrypt.org/docs/rate-limits/

My web server is (include version):
nginx 1.10.3 (Ubuntu)

The operating system my web server runs on is (include version):
Ubuntu 16.04.4 LTS

My hosting provider, if applicable, is:
RamNode

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No

Thanks!


#2

Try with:
--preferred-challenges http


#3

It still fails due to rate limiting.
But I can try that next week, perhaps. :slight_smile:


#4

You seem to have an automated process that’s renewing every day (!).

https://crt.sh/?Identity=%gdb-tutorial.net&iCAID=16418

Is it possible that you created a cron job or systemd timer with certbot renew --force-renew (or the confusingly-named obsolete synonym --renew-by-default)?


#5

If I’m reading that correctly, it isn’t every day.
That is me on the weekends trying to renew it through various means.

For example, you’ll see I did my mass renewal of subdomains on 2018-04-07.
Then you see me trying to get just gdb-tutorial.net working on 2018-04-08 and 09 (the next two days).

Then I waited about a week to try again (the 15th).


#6

If you read the page fully, there is also a Duplicate Certificate limit of 5 per week, which you certainly exceeded at some points.

You should be able to issue one now though (or very soon), as the maths only adds up to 4 in the current 7 day window.

Certbot would never create this many duplicate certificates on its own without --force-renew or certbot delete, as pointed out already.


#7

Or the more obscure --duplicate. :slight_smile:


#8

Hrmmm maybe I tried with --force-renew. I didn’t try delete or --duplicate.

I had tried several times today but those don’t show up on https://crt.sh/?Identity=%gdb-tutorial.net

The entries I do see on that page may have been --force-renew attempts. But on my end, I was still told that I was rate limited and it still failed. Maybe it succeeded on Let’s Encrypt’s end and my corrupted certificate directory was the problem? (And it still told me I was rate limited for some reason?)

I guess my attempts earlier today were ACTUALLY rate limited.

I’ll wait until May 1st, when I have 3 more duplicate certificate attempts available. Then I should no longer be rate limited. At that point, I’ll try with --preferred-challenges http as well.

Thanks!


#9

Hi @ProgramMax,

As @_az said you could issue today 1 more cert.

CRT ID     CERT TYPE  DOMAIN (CN)              VALID FROM             VALID TO               EXPIRES IN  SANs
416942035  Pre cert   gdb-tutorial.net         2018-Apr-24 03:16 UTC  2018-Jul-23 03:16 UTC  84 days     gdb-tutorial.net
415625234  Pre cert   gdb-tutorial.net         2018-Apr-23 15:18 UTC  2018-Jul-22 15:18 UTC  84 days     gdb-tutorial.net
414877136  Pre cert   gdb-tutorial.net         2018-Apr-23 03:54 UTC  2018-Jul-22 03:54 UTC  83 days     gdb-tutorial.net
414148870  Pre cert   gdb-tutorial.net         2018-Apr-22 15:19 UTC  2018-Jul-21 15:19 UTC  83 days     gdb-tutorial.net
413364258  Pre cert   gdb-tutorial.net         2018-Apr-22 03:45 UTC  2018-Jul-21 03:45 UTC  82 days     gdb-tutorial.net
[...]

Today is 2018-Apr-29 (and at the time of writing this post 11:00 UTC) so It means you issued a certificate in 2018-Apr-22 03:45 UTC and you could issue a new cert in 2018-Apr-22 04:45 UTC. Also, you issued one more cert in 2018-Apr-22 15:19 UTC so you could issue a new cert in 2018-Apr-29 16:19 UTC (5 hours from now).

Anyway, viewing the time you issued the certs, it seems the certificates are being issued by a cron job because the certs are issued from 4:00 UTC to 5:00 UTC and from 16:00 to 17:00 UTC (if you check above table for example, one cert is valid from 2018-Apr-22 03:45 UTC so you need to add 1 hour to know the creation date 2018-Apr-22 04:45 UTC because LE substracts 1 hour) so that means or you are really constant in the times you try to renew the certs or it is automated by a cron job or systemd timer.

So, I think you problem could be this:

and probably you have messed /etc/letsencrypt/ structure for your domain and you should fix it before trying to issue/renew a cert.

Could you please show the output of these commands?

ls -lR /etc/letsencrypt/
grep '' /etc/letsencrypt/renewal/* 
certbot certificates

As the output could be a bit long you could upload it to some service like pastebin.com or if you have installed netcat (nc) you could use it to upload the outputs directly to termbin.com from command line.

ls -lR /etc/letsencrypt/ | nc termbin.com 9999
grep '' /etc/letsencrypt/renewal/* | nc termbin.com 9999
certbot certificates | nc termbin.com 9999

And you will receive 3 urls like http://termbin.com/xxxx and you should only paste here those urls, easy and fast :wink:

Cheers,
sahsanu


#10

I was able to renew it by deleting /etc/letsencrypt/archive/gdb-tutorial.net, /etc/letsencrypt/live/gdb-tutorial.net, and /etc/letsencrypt/archive/renewal.

Thank you everyone for your help. And thanks to Let’s Encrypt and Certbot creators. :slight_smile:


#11

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.