Can't renew certs, rate limit after errors

Schamschula · June 26, 2022, 6:23pm

My domain is:
wx.schamschula.com
solar.schamschula.com

I ran this command:
certbot renew

It produced this output:
Renewing an existing certificate for solar.schamschula.com and wx.schamschula.com
Failed to renew certificate solar.schamschula.com with error: [Errno 2] No such file or directory: '/usr/local/etc/letsencrypt/archive/solar.schamschula.com/privkey1.pem'

I touch the missing file and rerun certbot renew
Renewing an existing certificate for solar.schamschula.com and wx.schamschula.com
Failed to renew certificate solar.schamschula.com with error: [Errno 17] File exists: '/usr/local/etc/letsencrypt/archive/solar.schamschula.com/privkey2.pem'

These errors seem to be circular. My attempts to renew have caused the rate limit to block any more attempts to renew. I had waited a week after first realizing there was an issue. Back to square one!

My web server is (include version):
apache24 2.4.54

The operating system my web server runs on is (include version):
FreeBSD 13.1

My hosting provider, if applicable, is:
N/A

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.27.0

PS: I deinstalled and resinstalled certbot and certbot-apache. My certs will expire in less than a day.

Schamschula · June 26, 2022, 6:31pm

The certificate is properly generated and downloaded, but not correctly installed on my server.

It would be good not to have to regenerate new certificates if there is a local error.

rg305 · June 26, 2022, 6:56pm

certbot is not a wizard.
That is, it can only do so much. Like: It can't fix a bad apache configuration.

So...
Please review your apache configuration.
Starting with the output of:
apachectl -t -D DUMP_VHOSTS

Schamschula · June 26, 2022, 7:06pm

I doubt this has anything to do with the apache configuration. It hasn't changed in years. I suspect that there was a change to the freshports certbot package that broke things. After all, the previous update worked correctly.

However, here you go:

apachectl -t -D DUMP_VHOSTS

VirtualHost configuration:
*:80                   is a NameVirtualHost
         default server wx.schamschula.com (/usr/local/etc/apache24/extra/httpd-vhosts.conf:29)
         port 80 namevhost wx.schamschula.com (/usr/local/etc/apache24/extra/httpd-vhosts.conf:29)
         port 80 namevhost solar.schamschula.com (/usr/local/etc/apache24/extra/httpd-vhosts.conf:108)
*:443                  is a NameVirtualHost
         default server wx.schamschula.com (/usr/local/etc/apache24/extra/httpd-vhosts.conf:122)
         port 443 namevhost wx.schamschula.com (/usr/local/etc/apache24/extra/httpd-vhosts.conf:122)
         port 443 namevhost solar.schamschula.com (/usr/local/etc/apache24/extra/httpd-vhosts.conf:216)

rg305 · June 26, 2022, 7:13pm

You may be right... I may be crazy!
But I've been burned by apache once too many times, not to check there first.

Let's check the output of:
certbot certificates
[against the file location being used by apache]

Schamschula · June 26, 2022, 7:15pm

I already looked at that, that's why I know that they're about to expire

certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: solar.schamschula.com
    Serial Number: 3a841af97e6a102fe7a013be806018bf5f1
    Key Type: RSA
    Domains: solar.schamschula.com wx.schamschula.com
    Expiry Date: 2022-06-27 16:44:50+00:00 (VALID: 21 hour(s))
    Certificate Path: /usr/local/etc/letsencrypt/live/solar.schamschula.com/fullchain.pem
    Private Key Path: /usr/local/etc/letsencrypt/live/solar.schamschula.com/privkey.pem
  Certificate Name: wx.schamschula.com
    Serial Number: 4cd70ad7d4746a99e2617324349f31df70e
    Key Type: RSA
    Domains: wx.schamschula.com
    Expiry Date: 2022-06-27 16:53:12+00:00 (VALID: 21 hour(s))
    Certificate Path: /usr/local/etc/letsencrypt/live/wx.schamschula.com/fullchain.pem
    Private Key Path: /usr/local/etc/letsencrypt/live/wx.schamschula.com/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

rg305 · June 26, 2022, 7:16pm

That's not what I'm looking for.

Please show:
ls -l /usr/local/etc/letsencrypt/live/solar.schamschula.com/
df -h

Schamschula · June 26, 2022, 7:19pm

We might be getting somewhere: a bunch of symlinks

ls -l /usr/local/etc/letsencrypt/live/solar.schamschula.com/

total 13
-rw-r--r--  1 root  wheel  692 Mar 29 12:44 README
lrwxr-xr-x  1 root  wheel   50 Mar 29 12:44 cert.pem -> ../../archive/solar.schamschula.com-0001/cert1.pem
lrwxr-xr-x  1 root  wheel   51 Mar 29 12:44 chain.pem -> ../../archive/solar.schamschula.com-0001/chain1.pem
lrwxr-xr-x  1 root  wheel   55 Mar 29 12:44 fullchain.pem -> ../../archive/solar.schamschula.com-0001/fullchain1.pem
lrwxr-xr-x  1 root  wheel   53 Mar 29 12:44 privkey.pem -> ../../archive/solar.schamschula.com-0001/privkey1.pem

df -h

Filesystem            Size    Used   Avail Capacity  Mounted on
zroot/ROOT/default    890G    6.0G    884G     1%    /
devfs                 1.0K    1.0K      0B   100%    /dev
/dev/mfisyspd0p2      899G    152G    675G    18%    /oldroot
/dev/mfisyspd4p1      260M    1.8M    258M     1%    /boot/efi
fdescfs               1.0K    1.0K      0B   100%    /dev/fd
procfs                4.0K    4.0K      0B   100%    /proc
tank                  7.1T    959G    6.2T    13%    /tank
zroot                 884G     96K    884G     0%    /zroot
zroot/var/audit       884G     96K    884G     0%    /var/audit
zroot/var/crash       884G     96K    884G     0%    /var/crash
zroot/usr/home        885G    1.7G    884G     0%    /usr/home
zroot/usr/src         884G     96K    884G     0%    /usr/src
zroot/tmp             884G    388K    884G     0%    /tmp
zroot/var/log         884G    5.6M    884G     0%    /var/log
zroot/usr/ports       891G    7.7G    884G     1%    /usr/ports
zroot/var/tmp         884G     96K    884G     0%    /var/tmp
zroot/var/mail        884G    275M    884G     0%    /var/mail

rg305 · June 26, 2022, 7:22pm

OK, let's see:
ls -l /usr/local/etc/letsencrypt/archive/solar.schamschula.com/

Schamschula · June 26, 2022, 7:22pm

ls -l /usr/local/etc/letsencrypt/archive/

total 4
drwxr-xr-x  2 root  wheel  3 Jun 26 13:13 solar.schamschula.com
drwxr-xr-x  2 root  wheel  6 Mar 29 12:44 solar.schamschula.com-0001
drwxr-xr-x  2 root  wheel  3 Jun 26 13:13 wx.schamschula.com
drwxr-xr-x  2 root  wheel  6 Mar 29 12:53 wx.schamschula.com-0001

rg305 · June 26, 2022, 7:25pm

Those are remnants of things gone bad...

That is unusual and should be looked into.

Now, let's have a look at (what I requested):

Schamschula · June 26, 2022, 7:27pm

Oops, Sorry, I misread that one,

ls -l /usr/local/etc/letsencrypt/archive/solar.schamschula.com/

total 1
-rw-r--r--  1 root  wheel  0 Jun 26 13:12 privkey1.pem

rg305 · June 26, 2022, 7:29pm

We seem to have found the problem.
The files are ~~gone~~ [NOT there].
"touching" it only created an empty file.

Let's look in:
ls -l /usr/local/etc/letsencrypt/archive/solar.schamschula.com-0001/

Schamschula · June 26, 2022, 7:30pm

But here they are:

ls -l /usr/local/etc/letsencrypt/archive/solar.schamschula.com-0001/

total 44
-rw-r--r--  1 root  wheel  1887 Mar 29 12:44 cert1.pem
-rw-r--r--  1 root  wheel  3749 Mar 29 12:44 chain1.pem
-rw-r--r--  1 root  wheel  5636 Mar 29 12:44 fullchain1.pem
-rw-------  1 root  wheel  1704 Mar 29 12:44 privkey1.pem

rg305 · June 26, 2022, 7:31pm

Yes!
Right where they are NOT supposed to be.

rg305 · June 26, 2022, 7:32pm

As a very temporary attempt at a "fix", try:

cp /usr/local/etc/letsencrypt/archive/solar.schamschula.com-0001/* /usr/local/etc/letsencrypt/archive/solar.schamschula.com/

cp /usr/local/etc/letsencrypt/archive/wx.schamschula.com-0001/* /usr/local/etc/letsencrypt/archive/wx.schamschula.com/

[overwrite the empty file you touched]

rg305 · June 26, 2022, 7:34pm

Then retry:
certbot renew

Schamschula · June 26, 2022, 7:35pm

Unfortunately, that's bound to fail because of my previous attempts.

rg305 · June 26, 2022, 7:35pm

What is?

Oh!
I see - rate limited
We'll get around that too

Schamschula · June 26, 2022, 7:36pm

Processing /usr/local/etc/letsencrypt/renewal/solar.schamschula.com.conf

Renewing an existing certificate for solar.schamschula.com and wx.schamschula.com

Failed to renew certificate solar.schamschula.com with error: urn:ietf:params:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new order :: too many certificates (5) already issued for this exact set of domains in the last 168 hours: solar.schamschula.com,wx.schamschula.com: see Duplicate Certificate Limit - Let's Encrypt

Processing /usr/local/etc/letsencrypt/renewal/wx.schamschula.com.conf

Renewing an existing certificate for wx.schamschula.com

Failed to renew certificate wx.schamschula.com with error: urn:ietf:params:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new order :: too many certificates (5) already issued for this exact set of domains in the last 168 hours: wx.schamschula.com: see Duplicate Certificate Limit - Let's Encrypt

All renewals failed. The following certificates could not be renewed:

/usr/local/etc/letsencrypt/live/solar.schamschula.com/fullchain.pem (failure)

/usr/local/etc/letsencrypt/live/wx.schamschula.com/fullchain.pem (failure)

2 renew failure(s), 0 parse failure(s)