Hi! I’m trying to renew my expired certificate (that I registered about 3 months ago) through certbot. Certbot gives me “rateLimited” error, so I can’t renew it for a week now. But the point is that I didn’t create any other certificates for my domain since March.
It produced this output: Error in LetsEncrypt::add:: error:rateLimited",
Error: um:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new cert :: too many certificates already issued for exact set of domains: taverna.tv
My web server is (include version): nginx 1.14
The operating system my web server runs on is (include version): Ubuntu 16.04
I can login to a root shell on my machine (yes or no, or I don’t know): yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no
No, I didn’t set up any cron job, that’s the thing.
I found out it too, then I tried to wait a week (for limit renewal), now I see 10 (not 20) records on this week, but it still gives me the limit error. So now I’m here.
If you installed Certbot from a package, a systemd timer will automatically run “certbot renew” twice a day, between 00:00-01:00 and 12:00-13:00 in your local time zone.
That’s a good thing.
“certbot renew” only issues certificates when necessary, by default when they will expire in less than 30 days.
The problem is that for some reason excessive certificates are being issued. “certbot renew” can do that under certain circumstances, when it’s configured to, or when /etc/letsencrypt/ is corrupt.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Revocation status for /etc/letsencrypt/live/taverna.tv/cert.pem is unknown
-------------------------------------------------------------------------------
Found the following certs:
Certificate Name: taverna.tv
Domains: taverna.tv
Expiry Date: 2018-05-29 06:26:25+00:00 (INVALID: EXPIRED)
Certificate Path: /etc/letsencrypt/live/taverna.tv/fullchain.pem
Private Key Path: /etc/letsencrypt/live/taverna.tv/privkey.pem
-------------------------------------------------------------------------------
sudo ls -al /etc/letsencrypt/{archive,live}
/etc/letsencrypt/archive:
total 16
drwx------ 4 root root 4096 Feb 28 10:26 .
drwxr-xr-x 9 root root 4096 Jun 6 17:55 ..
drwxr-xr-x 2 root root 4096 Apr 29 12:03 taverna.tv
drwxr-xr-x 2 root root 4096 Feb 28 10:26 taverna.tv-0001
/etc/letsencrypt/live:
total 12
drwx------ 3 root root 4096 Feb 28 10:31 .
drwxr-xr-x 9 root root 4096 Jun 6 17:55 ..
drwxr-xr-x 2 root root 4096 Jun 5 12:34 taverna.tv
The symlinks in /etc/letsencrypt/live/taverna.tv/ are wrong: They’re supposed to point to files in ../../archive/taverna.tv/, but they’re pointing to ../../archive/taverna.tv-0001/ instead. Certbot is saving all of your new certificates in /etc/letsencrypt/archive/taverna.tv/, as it’s supposed to, but it doesn’t automatically fix incorrect symlinks, so the certificates aren’t found again later.
You can fix it manually. Make a backup copy of /etc/letsencrypt/, double check I didn’t misspell anything, and do:
You can also delete /etc/letsencrypt/archive/taverna.tv-0001/ and, if it exists, the file /etc/letsencrypt/renewal/taverna.tv-0001.conf.
Renaming things in /etc/letsencrypt/ is tricky. It’s safer to avoid it, e.g. by using “certbot --nginx --cert-name taverna.tv -d taverna.tv -d abc.taverna.tv -d xyz.taverna.tv” to have Certbot issue a new certificate and save it on top of the taverna.tv certificate. Or “cerbot delete --cert-name example.com-0001” to delete a certificate’s files.
You can double check the paths stored in /etc/letsencrypt/renewal/taverna.tv.conf (it's a typical human readable config file, though you shouldn't typically edit it by hand) and make sure it's pointing at /etc/letsencrypt/archive/taverna.tv/ and /etc/letsencrypt/live/taverna.tv/.
And also double check your Nginx configuration to make sure it's only using /etc/letsencrypt/live/taverna.tv/.
But if there were issues with either of those, I think other things would have gone wrong by now.
