Can't renew certificate!


#1

Hi! I’m trying to renew my expired certificate (that I registered about 3 months ago) through certbot. Certbot gives me “rateLimited” error, so I can’t renew it for a week now. But the point is that I didn’t create any other certificates for my domain since March.

My domain is: taverna.tv

I ran this command: certbot renew

It produced this output: Error in LetsEncrypt::add:: error:rateLimited",
Error: um:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new cert :: too many certificates already issued for exact set of domains: taverna.tv

My web server is (include version): nginx 1.14

The operating system my web server runs on is (include version): Ubuntu 16.04

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no


#2

https://crt.sh/?q=%taverna.tv , or just these last 7 days:

Serial: 292219886946586657448101389379576014532730
NotBefore: 2018-06-05 08:34:30 +0000 UTC
Names: [taverna.tv]

Serial: 270620819864504679543677025293627237981918
NotBefore: 2018-06-04 20:46:30 +0000 UTC
Names: [taverna.tv]

Serial: 314170664509698329547355610092057356079083
NotBefore: 2018-06-04 08:00:29 +0000 UTC
Names: [taverna.tv]

Serial: 340909207178605631544616496728730099496714
NotBefore: 2018-06-03 20:14:38 +0000 UTC
Names: [taverna.tv]

Serial: 331914073270950850582733389558197032630708
NotBefore: 2018-06-03 08:21:39 +0000 UTC
Names: [taverna.tv]

Based on the issuance times, it looks like you have a cron job running at 8am and 8pm (every ~12 hours).

Have you set up some kind of scheduled task / cron job manually? Can we see it?


#3

What do “sudo certbot certificates” and “sudo ls -al /etc/letsencrypt/{archive,live}” show?


#4

No, I didn’t set up any cron job, that’s the thing.
I found out it too, then I tried to wait a week (for limit renewal), now I see 10 (not 20) records on this week, but it still gives me the limit error. So now I’m here.


#5

It’s really weird that Certbot would do that.

In addition to the information mnordhoff asked for, what is the contents of /etc/letsencrypt/renewal/taverna.tv.conf ?


#6

Well, I’ll give this information in 3-4 hours (at home).
May it be the cause, that I didn’t update certbot since March?


#7

If you installed Certbot from a package, a systemd timer will automatically run “certbot renew” twice a day, between 00:00-01:00 and 12:00-13:00 in your local time zone.

That’s a good thing.

certbot renew” only issues certificates when necessary, by default when they will expire in less than 30 days.

The problem is that for some reason excessive certificates are being issued. “certbot renew” can do that under certain circumstances, when it’s configured to, or when /etc/letsencrypt/ is corrupt.


#8

sudo certbot certificates

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Revocation status for /etc/letsencrypt/live/taverna.tv/cert.pem is unknown

-------------------------------------------------------------------------------
Found the following certs:
  Certificate Name: taverna.tv
    Domains: taverna.tv
    Expiry Date: 2018-05-29 06:26:25+00:00 (INVALID: EXPIRED)
    Certificate Path: /etc/letsencrypt/live/taverna.tv/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/taverna.tv/privkey.pem
-------------------------------------------------------------------------------

sudo ls -al /etc/letsencrypt/{archive,live}

/etc/letsencrypt/archive:
total 16
drwx------ 4 root root 4096 Feb 28 10:26 .
drwxr-xr-x 9 root root 4096 Jun  6 17:55 ..
drwxr-xr-x 2 root root 4096 Apr 29 12:03 taverna.tv
drwxr-xr-x 2 root root 4096 Feb 28 10:26 taverna.tv-0001

/etc/letsencrypt/live:
total 12
drwx------ 3 root root 4096 Feb 28 10:31 .
drwxr-xr-x 9 root root 4096 Jun  6 17:55 ..
drwxr-xr-x 2 root root 4096 Jun  5 12:34 taverna.tv

#9

/etc/letsencrypt/renewal/taverna.tv.conf

# renew_before_expiry = 30 days
version = 0.22.2
archive_dir = /etc/letsencrypt/archive/taverna.tv
cert = /etc/letsencrypt/live/taverna.tv/cert.pem
privkey = /etc/letsencrypt/live/taverna.tv/privkey.pem
chain = /etc/letsencrypt/live/taverna.tv/chain.pem
fullchain = /etc/letsencrypt/live/taverna.tv/fullchain.pem

# Options used in the renewal process
[renewalparams]
authenticator = nginx
account = b1e7d489744280473ba3c43175c012b9
installer = nginx

#10

I’m sorry, I forgot one argument. Can you run:

sudo ls -alR /etc/letsencrypt/{archive,live}

#11
/etc/letsencrypt/archive:
total 16
drwx------ 4 root root 4096 Feb 28 10:26 .
drwxr-xr-x 9 root root 4096 Jun  6 17:55 ..
drwxr-xr-x 2 root root 4096 Apr 29 12:03 taverna.tv
drwxr-xr-x 2 root root 4096 Feb 28 10:26 taverna.tv-0001

/etc/letsencrypt/archive/taverna.tv:
total 40
drwxr-xr-x 2 root root 4096 Apr 29 12:03 .
drwx------ 4 root root 4096 Feb 28 10:26 ..
-rw-r--r-- 1 root root 1805 Dec  7 15:26 cert1.pem
-rw-r--r-- 1 root root 2139 Jun  5 12:34 cert2.pem
-rw-r--r-- 1 root root 1647 Dec  7 15:26 chain1.pem
-rw-r--r-- 1 root root 1647 Jun  5 12:34 chain2.pem
-rw-r--r-- 1 root root 3452 Dec  7 15:26 fullchain1.pem
-rw-r--r-- 1 root root 3786 Jun  5 12:34 fullchain2.pem
-rw-r--r-- 1 root root 1704 Dec  7 15:26 privkey1.pem
-rw-r--r-- 1 root root 1704 Jun  5 12:34 privkey2.pem

/etc/letsencrypt/archive/taverna.tv-0001:
total 24
drwxr-xr-x 2 root root 4096 Feb 28 10:26 .
drwx------ 4 root root 4096 Feb 28 10:26 ..
-rw-r--r-- 1 root root 1781 Feb 28 10:26 cert1.pem
-rw-r--r-- 1 root root 1647 Feb 28 10:26 chain1.pem
-rw-r--r-- 1 root root 3428 Feb 28 10:26 fullchain1.pem
-rw-r--r-- 1 root root 1704 Feb 28 10:26 privkey1.pem

/etc/letsencrypt/live:
total 12
drwx------ 3 root root 4096 Feb 28 10:31 .
drwxr-xr-x 9 root root 4096 Jun  6 17:55 ..
drwxr-xr-x 2 root root 4096 Jun  5 12:34 taverna.tv

/etc/letsencrypt/live/taverna.tv:
total 12
drwxr-xr-x 2 root root 4096 Jun  5 12:34 .
drwx------ 3 root root 4096 Feb 28 10:31 ..
lrwxrwxrwx 1 root root   39 Jun  5 12:34 cert.pem -> ../../archive/taverna.tv-0001/cert1.pem
lrwxrwxrwx 1 root root   40 Jun  5 12:34 chain.pem -> ../../archive/taverna.tv-0001/chain1.pem
lrwxrwxrwx 1 root root   44 Jun  5 12:34 fullchain.pem -> ../../archive/taverna.tv-0001/fullchain1.pem
lrwxrwxrwx 1 root root   42 Jun  5 12:34 privkey.pem -> ../../archive/taverna.tv-0001/privkey1.pem
-rw-r--r-- 1 root root  543 Feb 28 10:26 README

#12

Thank you! Sorry.

The symlinks in /etc/letsencrypt/live/taverna.tv/ are wrong: They’re supposed to point to files in ../../archive/taverna.tv/, but they’re pointing to ../../archive/taverna.tv-0001/ instead. Certbot is saving all of your new certificates in /etc/letsencrypt/archive/taverna.tv/, as it’s supposed to, but it doesn’t automatically fix incorrect symlinks, so the certificates aren’t found again later.

You can fix it manually. Make a backup copy of /etc/letsencrypt/, double check I didn’t misspell anything, and do:

sudo ln -fs ../../archive/taverna.tv/cert2.pem /etc/letsencrypt/live/taverna.tv/cert.pem
sudo ln -fs ../../archive/taverna.tv/chain2.pem /etc/letsencrypt/live/taverna.tv/chain.pem
sudo ln -fs ../../archive/taverna.tv/fullchain2.pem /etc/letsencrypt/live/taverna.tv/fullchain.pem
sudo ln -fs ../../archive/taverna.tv/privkey2.pem /etc/letsencrypt/live/taverna.tv/privkey.pem

You can also delete /etc/letsencrypt/archive/taverna.tv-0001/ and, if it exists, the file /etc/letsencrypt/renewal/taverna.tv-0001.conf.

Renaming things in /etc/letsencrypt/ is tricky. It’s safer to avoid it, e.g. by using “certbot --nginx --cert-name taverna.tv -d taverna.tv -d abc.taverna.tv -d xyz.taverna.tv” to have Certbot issue a new certificate and save it on top of the taverna.tv certificate. Or “cerbot delete --cert-name example.com-0001” to delete a certificate’s files.


#13

I’m grateful to you! It works. Should I edit any conf files to fix incorrect file pointing?


#14

It’s probably all good now. :smile:

You can double check the paths stored in /etc/letsencrypt/renewal/taverna.tv.conf (it’s a typical human readable config file, though you shouldn’t typically edit it by hand) and make sure it’s pointing at /etc/letsencrypt/archive/taverna.tv/ and /etc/letsencrypt/live/taverna.tv/.

And also double check your Nginx configuration to make sure it’s only using /etc/letsencrypt/live/taverna.tv/.

But if there were issues with either of those, I think other things would have gone wrong by now.


#15

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.