Can't renew certificate - where do I exceed the rate limits?


#1

I had an error in my configuration file after moving to a new server. When the cronjob tried to renew the certificate it could not save the renewed certificate due to the config error, but the certificates seem to have already been created.

I disabled all automatic renewals (crontab/systemd) and I’m trying to manually renew the certificate now, but I always get the response that I’m above the limit for requests, but I can’t find 20 request or more in the past 7 days.

My domain is:
homertool.de

I ran this command:
certbot renew

It produced this output:
Attempting to renew cert from /etc/letsencrypt/renewal/homertool.de-0001.conf produced an unexpected error: urn:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new cert :: too many certificates already issued for exact set of domains: homertool.de,www.homertool.de. Skipping.

My operating system is (include version):
Debian 8

My web server is (include version):
Apache/2.4.10

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no


#2

Hi @csocto,

There is a limit to create 20 certificates per domain/subdomain per 7 days, but you are reaching another rate-limit, 5 certificates per same subset of domains per 7 days.

Take a look to rate-limits site https://letsencrypt.org/docs/rate-limits/, specially this part:

We also have a Duplicate Certificate limit of 5 certificates per week. A certificate is considered a duplicate of an earlier certificate if they contain the exact same set of hostnames, ignoring capitalization and ordering of hostnames. For instance, if you requested a certificate for the names [www.example.com, example.com], you could request four more certificates for [www.example.com, example.com] during the week. If you changed the set of names by adding [blog.example.com], you would be able to request additional certificates.

These are your last issued certs for homertool.de and www.homertool.de.

CRT ID     DOMAIN (CN)       VALID FROM              VALID TO                EXPIRES IN  SANs
132972627  homertool.de      2017-May-04 23:06 CEST  2017-Aug-02 23:06 CEST  86 days     homertool.de
                                                                                         www.homertool.de
132761193  homertool.de      2017-May-04 11:29 CEST  2017-Aug-02 11:29 CEST  86 days     homertool.de
                                                                                         www.homertool.de
132584710  homertool.de      2017-May-03 23:08 CEST  2017-Aug-01 23:08 CEST  85 days     homertool.de
                                                                                         www.homertool.de
132348755  homertool.de      2017-May-03 11:40 CEST  2017-Aug-01 11:40 CEST  85 days     homertool.de
                                                                                         www.homertool.de
132202323  homertool.de      2017-May-02 23:49 CEST  2017-Jul-31 23:49 CEST  84 days     homertool.de
                                                                                         www.homertool.de
131871813  homertool.de      2017-May-02 10:59 CEST  2017-Jul-31 10:59 CEST  83 days     homertool.de
                                                                                         www.homertool.de

You have a few valid cetificates for your domain ;).

Cheers,
sahsanu


#3

Seems I have missed the part with the Duplicate Certificate limit. :confused:
Is there a way to use one those valid certificates instead of trying to renew again?
And if I’m above the limit of 5 duplicate certificates a week, I should be able to renew my certificate again on July 10th right?


#4

Hi @csocto,

As you have already renewed your certs, if you have your Apache conf for your domain pointing to the certificates in /etc/letsencrypt/live/homertool.de/ dir, then you only need to restart/reload your Apache so the new cert will be used.

Cheers,
sahsanu


#5

The certificates from the failed attempts were not saved on my server. There is only one certificate in /etc/letsencrypt/archive/homertool.de/ and that’s the one that has expired. I guess I will try to renew again the day after tomorrow.
Anyway thanks for the answers. :+1:


#6

@csocto,

that is really strange, could you please check whether you have a dir in /etc/letsencrypt/live/ with name homertool.de-000x where x is a number?. Or if you have a dir with www.homertool.de?.

Please, show the output of this command:

ls -la /etc/letsencrypt/live/

Cheers,
sahsanu


#7

Maybe I also messed up some more things when I moved to the new server. :unamused:

I had two directories in /etc/letsencrypt/live/, but I removed one that was related to the old renew-config file that was causing errors. Now there’s only the directory /etc/letsencrypt/live/homertool.de-0001 left and the symlinks point to the 4 files contained in /etc/letsencrypt/archive/homertool.de-0001. I don’t know how I managed to have two directories.

I somehow had two renew configs (homertool.de and homertool.de-0001) and those were referring to their respective directories in /etc/letsencrypt/live. The problem was that the symlinks in /etc/letsencrypt/archive/homertool.de were broken and the cronjob for certbot was trying to renew files that weren’t there.
I removed the wrong config file and the related directories last friday, but since I’m still above the rate limits I can’t test if the problem is solved now.


#8

@csocto, you should not manually change the dirs, links etc. inside /etc/letsencrypt/.

Don’t know what you did but I suppose you executed the same command twice and as letsencrypt detected that a dir with the same domain name existed the it creates a new dir to avoid override tha current one.

You should also check the files in /etc/letsencrypt/renewal/ or your renew command could try to renew the cert for a domain that you already deleted manually. You should left only one conf file that includes homertool.de and www.homertool.de. If you have two conf files you should remove the one you don’t need. Please, before delete something, backup backup backup :wink:

If you are using a recent version of certbot, you could use these commands instead of review/delete them manually:

certbot certificates

And if there is some problem with the links and renewal conf, it will told which one is the problematic file.

certbot delete

It will show you a list of certificates and you could delete the one you don’t need, certbot will remove the appropiate files and dirs.

The certbot command can be certbot-auto, letsencrypt-auto… don’t know how you get the letsencrypt client.

Cheers,
sahsanu


#9

On the upside, if this is an emergency and you don’t currently have a valid certificate, it should be possible to put the pieces together with some detective work.

The certificates may be in /etc/letsencrypt/archive. If not, you can download them from crt.sh or other public records.

The private keys may also be in /etc/letsencrypt/archive. If not, they probably are in /etc/letsencrypt/keys. The filenames in that directory aren’t useful, and you’d have to match the proper certificate to the proper key by hand, but it can be done.

(I don’t generally recommend rooting around in /etc/letsencrypt like this, but if it’s an emergency, it may be worth doing as a temporary measure.)


#10

I also removed the wrong renewal file in /etc/letsencrypt/renewal when I deleted the other directories and tested afterwards with their staging server and it seems to work there. Of course I made backups before changing anything in the folder, but I don’t see where the broken links or wrong config can help me out right now. The only thing those files were producing are the tons of certificates I have now. :slight_smile:
I will give it another try tomorrow If it’s not working , I think I will delete the content of the /etc/letsencrypt folder and start with a fresh certificate.


#11

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.