Cert Expired - Certbot Renewal Fails

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
request.defran.us

I ran this command:
certbot renew

It produced this output:
Attempting to renew cert (request.defran.us) from /etc/letsencrypt/renewal/request.defran.us.conf produced an unexpected error: urn:ietf:params:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new order :: too many certificates already issued for exact set of domains: request.defran.us: see https://letsencrypt.org/docs/rate-limits/. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/request.defran.us/fullchain.pem (failure)

My web server is (include version):
nginx/1.14.2

The operating system my web server runs on is (include version):

ubuntu server 18.04.3 running inside a docker

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 0.32.0

Hi @antidefran,

What’s the output of certbot certificates?

Hello

certbot certificates shows:

Found the following certs:
Certificate Name: request.defran.us
Domains: request.defran.us
Expiry Date: 2019-12-21 05:08:37+00:00 (INVALID: EXPIRED)
Certificate Path: /etc/letsencrypt/live/request.defran.us/fullchain.pem
Private Key Path: /etc/letsencrypt/live/request.defran.us/privkey.pem

I have it set to autorenew but it fails everytime because I've somehow reached the limit.

Thanks!

This is similar to a problem that we’ve sometimes seen when people have renamed some of the items in /etc/letsencrypt in a way that subsequently confuses Certbot about whether or not a renewal succeeds. Could we see the output of this command too?

ls -lR /etc/letsencrypt/{live,archive}

(Alternatively, do you happen to have any other servers or containers that have previously had certificates for this same name that might still be operating somewhere?)

As far as I remember, there are no other servers or containers that would have certificates for the same name.
Here's my output for ls -lR /etc/letsencrypt/{live,archive}

/etc/letsencrypt/archive:
total 9
drwxr-xr-x 2 nobody 4294967294 73 Feb 3 02:11 request.defran.us
/etc/letsencrypt/archive/request.defran.us:
total 320
-rw-r--r-- 1 nobody 4294967294 2260 Nov 20 16:57 cert1.pem
-rw-r--r-- 1 nobody 4294967294 2264 Nov 20 16:57 cert2.pem
-rw-r--r-- 1 nobody 4294967294 2264 Nov 20 16:57 cert3.pem
-rw-r--r-- 1 nobody 4294967294 2260 Nov 20 16:57 cert4.pem
-rw-r--r-- 1 nobody 4294967294 1647 Nov 20 16:57 chain1.pem
-rw-r--r-- 1 nobody 4294967294 1647 Nov 20 16:57 chain2.pem
-rw-r--r-- 1 nobody 4294967294 1647 Nov 20 16:57 chain3.pem
-rw-r--r-- 1 nobody 4294967294 1647 Nov 20 16:57 chain4.pem
-rw-r--r-- 1 nobody 4294967294 3907 Nov 20 16:57 fullchain1.pem
-rw-r--r-- 1 nobody 4294967294 3911 Nov 20 16:57 fullchain2.pem
-rw-r--r-- 1 nobody 4294967294 3911 Nov 20 16:57 fullchain3.pem
-rw-r--r-- 1 nobody 4294967294 3907 Nov 20 16:57 fullchain4.pem
-rw------- 1 nobody 4294967294 3272 Nov 20 16:57 privkey1.pem
-rw------- 1 nobody 4294967294 3272 Nov 28 02:11 privkey10.pem
-rw------- 1 nobody 4294967294 3268 Nov 29 02:10 privkey11.pem
-rw------- 1 nobody 4294967294 3272 Nov 30 02:10 privkey12.pem
-rw------- 1 nobody 4294967294 3268 Dec 1 02:10 privkey13.pem
-rw------- 1 nobody 4294967294 3272 Dec 2 02:16 privkey14.pem
-rw------- 1 nobody 4294967294 3272 Dec 5 02:10 privkey15.pem
-rw------- 1 nobody 4294967294 3272 Dec 6 02:12 privkey16.pem
-rw------- 1 nobody 4294967294 3272 Dec 7 02:13 privkey17.pem
-rw------- 1 nobody 4294967294 3272 Dec 8 02:09 privkey18.pem
-rw------- 1 nobody 4294967294 3268 Dec 9 02:12 privkey19.pem
-rw------- 1 nobody 4294967294 3272 Nov 20 16:57 privkey2.pem
-rw------- 1 nobody 4294967294 3272 Dec 12 02:14 privkey20.pem
-rw------- 1 nobody 4294967294 3272 Dec 13 02:10 privkey21.pem
-rw------- 1 nobody 4294967294 3272 Dec 14 02:12 privkey22.pem
-rw------- 1 nobody 4294967294 3272 Dec 15 02:14 privkey23.pem
-rw------- 1 nobody 4294967294 3272 Dec 16 02:11 privkey24.pem
-rw------- 1 nobody 4294967294 3272 Dec 19 02:14 privkey25.pem
-rw------- 1 nobody 4294967294 3272 Dec 20 02:14 privkey26.pem
-rw------- 1 nobody 4294967294 3272 Dec 21 02:08 privkey27.pem
-rw------- 1 nobody 4294967294 3272 Dec 22 02:11 privkey28.pem
-rw------- 1 nobody 4294967294 3272 Dec 23 02:11 privkey29.pem
-rw------- 1 nobody 4294967294 3268 Nov 20 16:57 privkey3.pem
-rw------- 1 nobody 4294967294 3268 Dec 26 02:08 privkey30.pem
-rw------- 1 nobody 4294967294 3272 Dec 27 02:15 privkey31.pem
-rw------- 1 nobody 4294967294 3272 Dec 28 02:09 privkey32.pem
-rw------- 1 nobody 4294967294 3272 Dec 29 02:09 privkey33.pem
-rw------- 1 nobody 4294967294 3272 Dec 30 02:08 privkey34.pem
-rw------- 1 nobody 4294967294 3272 Jan 2 02:09 privkey35.pem
-rw------- 1 nobody 4294967294 3272 Jan 3 02:11 privkey36.pem
-rw------- 1 nobody 4294967294 3272 Jan 4 02:11 privkey37.pem
-rw------- 1 nobody 4294967294 3272 Jan 5 02:08 privkey38.pem
-rw------- 1 nobody 4294967294 3272 Jan 6 02:13 privkey39.pem
-rw------- 1 nobody 4294967294 3268 Nov 20 16:57 privkey4.pem
-rw------- 1 nobody 4294967294 3272 Jan 9 02:11 privkey40.pem
-rw------- 1 nobody 4294967294 3272 Jan 10 02:14 privkey41.pem
-rw------- 1 nobody 4294967294 3272 Jan 11 02:12 privkey42.pem
-rw------- 1 nobody 4294967294 3272 Jan 12 02:08 privkey43.pem
-rw------- 1 nobody 4294967294 3272 Jan 13 02:14 privkey44.pem
-rw------- 1 nobody 4294967294 3272 Jan 16 02:15 privkey45.pem
-rw------- 1 nobody 4294967294 3272 Jan 17 02:15 privkey46.pem
-rw------- 1 nobody 4294967294 3272 Jan 18 02:14 privkey47.pem
-rw------- 1 nobody 4294967294 3272 Jan 19 02:13 privkey48.pem
-rw------- 1 nobody 4294967294 3272 Jan 20 02:15 privkey49.pem
-rw------- 1 nobody 4294967294 3272 Nov 21 02:10 privkey5.pem
-rw------- 1 nobody 4294967294 3272 Jan 23 02:08 privkey50.pem
-rw------- 1 nobody 4294967294 3272 Jan 24 02:14 privkey51.pem
-rw------- 1 nobody 4294967294 3272 Jan 25 02:09 privkey52.pem
-rw------- 1 nobody 4294967294 3272 Jan 26 02:08 privkey53.pem
-rw------- 1 nobody 4294967294 3272 Jan 27 02:12 privkey54.pem
-rw------- 1 nobody 4294967294 3272 Jan 30 02:12 privkey55.pem
-rw------- 1 nobody 4294967294 3272 Jan 31 02:13 privkey56.pem
-rw------- 1 nobody 4294967294 3272 Feb 1 02:08 privkey57.pem
-rw------- 1 nobody 4294967294 3272 Feb 2 02:15 privkey58.pem
-rw------- 1 nobody 4294967294 3268 Feb 3 02:11 privkey59.pem
-rw------- 1 nobody 4294967294 3272 Nov 22 02:12 privkey6.pem
-rw------- 1 nobody 4294967294 3272 Nov 23 02:09 privkey7.pem
-rw------- 1 nobody 4294967294 3268 Nov 24 02:10 privkey8.pem
-rw------- 1 nobody 4294967294 3268 Nov 25 02:11 privkey9.pem

/etc/letsencrypt/live:
total 13
-rw-r--r-- 1 nobody 4294967294 740 Nov 20 16:57 README
drwxr-xr-x 2 nobody 4294967294 9 Feb 4 21:50 request.defran.us

/etc/letsencrypt/live/request.defran.us:
total 24
-rw-r--r-- 1 nobody 4294967294 692 Nov 20 16:57 README
lrwxrwxrwx 1 nobody 4294967294 41 Nov 20 16:57 cert.pem -> ../../archive/request.defran.us/cert4.pem
lrwxrwxrwx 1 nobody 4294967294 42 Nov 20 16:57 chain.pem -> ../../archive/request.defran.us/chain4.pem
lrwxrwxrwx 1 nobody 4294967294 46 Nov 20 16:57 fullchain.pem -> ../../archive/request.defran.us/fullchain4.pem
-rw-r--r-- 1 nobody 4294967294 7175 Feb 4 18:20 priv-fullchain-bundle.pem
lrwxrwxrwx 1 nobody 4294967294 44 Nov 20 16:57 privkey.pem -> ../../archive/request.defran.us/privkey4.pem
-rw------- 1 nobody 4294967294 5605 Feb 4 18:20 privkey.pfx

As far as I know, this is the only server/container with certs for this domain.

Here's the output for ls -lR /etc/letsencrypt/{live,archive}

/etc/letsencrypt/archive:
total 9
drwxr-xr-x 2 nobody 4294967294 73 Feb 3 02:11 request.defran.us

/etc/letsencrypt/archive/request.defran.us:
total 320
-rw-r--r-- 1 nobody 4294967294 2260 Nov 20 16:57 cert1.pem
-rw-r--r-- 1 nobody 4294967294 2264 Nov 20 16:57 cert2.pem
-rw-r--r-- 1 nobody 4294967294 2264 Nov 20 16:57 cert3.pem
-rw-r--r-- 1 nobody 4294967294 2260 Nov 20 16:57 cert4.pem
-rw-r--r-- 1 nobody 4294967294 1647 Nov 20 16:57 chain1.pem
-rw-r--r-- 1 nobody 4294967294 1647 Nov 20 16:57 chain2.pem
-rw-r--r-- 1 nobody 4294967294 1647 Nov 20 16:57 chain3.pem
-rw-r--r-- 1 nobody 4294967294 1647 Nov 20 16:57 chain4.pem
-rw-r--r-- 1 nobody 4294967294 3907 Nov 20 16:57 fullchain1.pem
-rw-r--r-- 1 nobody 4294967294 3911 Nov 20 16:57 fullchain2.pem
-rw-r--r-- 1 nobody 4294967294 3911 Nov 20 16:57 fullchain3.pem
-rw-r--r-- 1 nobody 4294967294 3907 Nov 20 16:57 fullchain4.pem
-rw------- 1 nobody 4294967294 3272 Nov 20 16:57 privkey1.pem
-rw------- 1 nobody 4294967294 3272 Nov 28 02:11 privkey10.pem
-rw------- 1 nobody 4294967294 3268 Nov 29 02:10 privkey11.pem
-rw------- 1 nobody 4294967294 3272 Nov 30 02:10 privkey12.pem
-rw------- 1 nobody 4294967294 3268 Dec 1 02:10 privkey13.pem
-rw------- 1 nobody 4294967294 3272 Dec 2 02:16 privkey14.pem
-rw------- 1 nobody 4294967294 3272 Dec 5 02:10 privkey15.pem
-rw------- 1 nobody 4294967294 3272 Dec 6 02:12 privkey16.pem
-rw------- 1 nobody 4294967294 3272 Dec 7 02:13 privkey17.pem
-rw------- 1 nobody 4294967294 3272 Dec 8 02:09 privkey18.pem
-rw------- 1 nobody 4294967294 3268 Dec 9 02:12 privkey19.pem
-rw------- 1 nobody 4294967294 3272 Nov 20 16:57 privkey2.pem
-rw------- 1 nobody 4294967294 3272 Dec 12 02:14 privkey20.pem
-rw------- 1 nobody 4294967294 3272 Dec 13 02:10 privkey21.pem
-rw------- 1 nobody 4294967294 3272 Dec 14 02:12 privkey22.pem
-rw------- 1 nobody 4294967294 3272 Dec 15 02:14 privkey23.pem
-rw------- 1 nobody 4294967294 3272 Dec 16 02:11 privkey24.pem
-rw------- 1 nobody 4294967294 3272 Dec 19 02:14 privkey25.pem
-rw------- 1 nobody 4294967294 3272 Dec 20 02:14 privkey26.pem
-rw------- 1 nobody 4294967294 3272 Dec 21 02:08 privkey27.pem
-rw------- 1 nobody 4294967294 3272 Dec 22 02:11 privkey28.pem
-rw------- 1 nobody 4294967294 3272 Dec 23 02:11 privkey29.pem
-rw------- 1 nobody 4294967294 3268 Nov 20 16:57 privkey3.pem
-rw------- 1 nobody 4294967294 3268 Dec 26 02:08 privkey30.pem
-rw------- 1 nobody 4294967294 3272 Dec 27 02:15 privkey31.pem
-rw------- 1 nobody 4294967294 3272 Dec 28 02:09 privkey32.pem
-rw------- 1 nobody 4294967294 3272 Dec 29 02:09 privkey33.pem
-rw------- 1 nobody 4294967294 3272 Dec 30 02:08 privkey34.pem
-rw------- 1 nobody 4294967294 3272 Jan 2 02:09 privkey35.pem
-rw------- 1 nobody 4294967294 3272 Jan 3 02:11 privkey36.pem
-rw------- 1 nobody 4294967294 3272 Jan 4 02:11 privkey37.pem
-rw------- 1 nobody 4294967294 3272 Jan 5 02:08 privkey38.pem
-rw------- 1 nobody 4294967294 3272 Jan 6 02:13 privkey39.pem
-rw------- 1 nobody 4294967294 3268 Nov 20 16:57 privkey4.pem
-rw------- 1 nobody 4294967294 3272 Jan 9 02:11 privkey40.pem
-rw------- 1 nobody 4294967294 3272 Jan 10 02:14 privkey41.pem
-rw------- 1 nobody 4294967294 3272 Jan 11 02:12 privkey42.pem
-rw------- 1 nobody 4294967294 3272 Jan 12 02:08 privkey43.pem
-rw------- 1 nobody 4294967294 3272 Jan 13 02:14 privkey44.pem
-rw------- 1 nobody 4294967294 3272 Jan 16 02:15 privkey45.pem
-rw------- 1 nobody 4294967294 3272 Jan 17 02:15 privkey46.pem
-rw------- 1 nobody 4294967294 3272 Jan 18 02:14 privkey47.pem
-rw------- 1 nobody 4294967294 3272 Jan 19 02:13 privkey48.pem
-rw------- 1 nobody 4294967294 3272 Jan 20 02:15 privkey49.pem
-rw------- 1 nobody 4294967294 3272 Nov 21 02:10 privkey5.pem
-rw------- 1 nobody 4294967294 3272 Jan 23 02:08 privkey50.pem
-rw------- 1 nobody 4294967294 3272 Jan 24 02:14 privkey51.pem
-rw------- 1 nobody 4294967294 3272 Jan 25 02:09 privkey52.pem
-rw------- 1 nobody 4294967294 3272 Jan 26 02:08 privkey53.pem
-rw------- 1 nobody 4294967294 3272 Jan 27 02:12 privkey54.pem
-rw------- 1 nobody 4294967294 3272 Jan 30 02:12 privkey55.pem
-rw------- 1 nobody 4294967294 3272 Jan 31 02:13 privkey56.pem
-rw------- 1 nobody 4294967294 3272 Feb 1 02:08 privkey57.pem
-rw------- 1 nobody 4294967294 3272 Feb 2 02:15 privkey58.pem
-rw------- 1 nobody 4294967294 3268 Feb 3 02:11 privkey59.pem
-rw------- 1 nobody 4294967294 3272 Nov 22 02:12 privkey6.pem
-rw------- 1 nobody 4294967294 3272 Nov 23 02:09 privkey7.pem
-rw------- 1 nobody 4294967294 3268 Nov 24 02:10 privkey8.pem
-rw------- 1 nobody 4294967294 3268 Nov 25 02:11 privkey9.pem

/etc/letsencrypt/live:
total 13
-rw-r--r-- 1 nobody 4294967294 740 Nov 20 16:57 README
drwxr-xr-x 2 nobody 4294967294 9 Feb 4 21:50 request.defran.us

/etc/letsencrypt/live/request.defran.us:
total 24
-rw-r--r-- 1 nobody 4294967294 692 Nov 20 16:57 README
lrwxrwxrwx 1 nobody 4294967294 41 Nov 20 16:57 cert.pem -> ../../archive/request.defran.us/cert4.pem
lrwxrwxrwx 1 nobody 4294967294 42 Nov 20 16:57 chain.pem -> ../../archive/request.defran.us/chain4.pem
lrwxrwxrwx 1 nobody 4294967294 46 Nov 20 16:57 fullchain.pem -> ../../archive/request.defran.us/fullchain4.pem
-rw-r--r-- 1 nobody 4294967294 7175 Feb 4 18:20 priv-fullchain-bundle.pem
lrwxrwxrwx 1 nobody 4294967294 44 Nov 20 16:57 privkey.pem -> ../../archive/request.defran.us/privkey4.pem
-rw------- 1 nobody 4294967294 5605 Feb 4 18:20 privkey.pfx

I'm not very well versed when it comes to ssl certs, but I think there are a lot of extra privkey*.pem files, but I'm not sure if that's normal or how that would've happened if it's not.

Thanks for any advice

Yes, that does look like a sign of a problem here. Could we also see the contents of /etc/letsencrypt/renewal/request.defran.us.conf to see if it has a wrong file reference somehow?

Do you know what is creating priv-fullchain-bundle.pem and privkey.pfx? Did you install a script or hook that automatically creates these after your renewal?

(It looks like you probably actually have a valid certificate and private key somewhere here—just probably not where you or Certbot expected to.)

Sorry If I double-posted, but posts were hidden by the spam filter.

I didn't specifically set up any hooks or scripts creating priv-fullchain-bundle.pem or privkey.pfx. Maybe my .conf will give us an idea:

cat /etc/letsencrypt/renewal/request.defran.us.conf

#renew_before_expiry = 30 days
version = 0.32.0
archive_dir = /etc/letsencrypt/archive/request.defran.us
cert = /etc/letsencrypt/live/request.defran.us/cert.pem
privkey = /etc/letsencrypt/live/request.defran.us/privkey.pem
chain = /etc/letsencrypt/live/request.defran.us/chain.pem
fullchain = /etc/letsencrypt/live/request.defran.us/fullchain.pem

#Options used in the renewal process
[renewalparams]
account = ad0d039c97f5fc21cef224119a8090c7
rsa_key_size = 4096
pref_challs = http-01,
server = https://acme-v02.api.letsencrypt.org/directory
authenticator = standalone
pre_hook = if ps aux | grep [n]ginx: > /dev/null; then s6-svc -d /var/run/s6/services/nginx; fi
post_hook = if ps aux | grep 's6-supervise nginx' | grep -v grep > /dev/null; then s6-svc -u /var/run/s6/services/nginx; fi; cd /config/keys/letsencrypt && openssl pkcs12 -export -out privkey.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -passout pass: && sleep 1 && cat privkey.pem fullchain.pem > priv-fullchain-bundle.pem

Hello,

Any advice is greatly appreciated.

I’m afraid this problem is unlike any that I’ve seen before!

Could we see the logs from /var/log/letsencrypt, in particular from a renewal that apparently worked? (e.g. January 31 at 02:13). It somehow looks like Certbot is crashing before it can save the files here, except then it successfully runs the post-hook script to create a bundle, which shouldn’t be possible if the Certbot process crashed.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.