Cert failed to renew and now has hit Rate Limit


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: countrystoveandfireplace.com

I ran this command: certbot-auto renew

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/countrystoveandfireplace.com.conf


Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for countrystoveandfireplace.com
tls-sni-01 challenge for www.countrystoveandfireplace.com
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (countrystoveandfireplace.com) from /etc/letsencrypt/renewal/countrystoveandfireplace.com.conf produced an unexpected error: Failed authorization procedure. countrystoveandfireplace.com (tls-sni-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 556ba35db7385a34b1c2d4265dbda5b9.5053a2ca23bce428a950bb41f85f101e.acme.invalid from 45.63.66.230:443. Received 2 certificate(s), first certificate had names “countrystoveandfireplace.com, www.countrystoveandfireplace.com”, www.countrystoveandfireplace.com (tls-sni-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested b7fba6db7717599b5cc3ee48b731472e.885cdfd6eada7a0b42ca81a6487f3e6f.acme.invalid from 45.63.66.230:443. Received 2 certificate(s), first certificate had names “countrystoveandfireplace.com, www.countrystoveandfireplace.com”. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/countrystoveandfireplace.com/fullchain.pem (failure)


All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/countrystoveandfireplace.com/fullchain.pem (failure)


1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: countrystoveandfireplace.com
    Type: unauthorized
    Detail: Incorrect validation certificate for tls-sni-01 challenge.
    Requested
    556ba35db7385a34b1c2d4265dbda5b9.5053a2ca23bce428a950bb41f85f101e.acme.invalid
    from 45.63.66.230:443. Received 2 certificate(s), first certificate
    had names “countrystoveandfireplace.com,
    www.countrystoveandfireplace.com

    Domain: www.countrystoveandfireplace.com
    Type: unauthorized
    Detail: Incorrect validation certificate for tls-sni-01 challenge.
    Requested
    b7fba6db7717599b5cc3ee48b731472e.885cdfd6eada7a0b42ca81a6487f3e6f.acme.invalid
    from 45.63.66.230:443. Received 2 certificate(s), first certificate
    had names “countrystoveandfireplace.com,
    www.countrystoveandfireplace.com

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.

My web server is (include version): Apache 2.2.15

The operating system my web server runs on is (include version): CentOS Linux 6.10

My hosting provider, if applicable, is: vultr

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

So the first problem is failed renewal, and while trying to troubleshoot this, I’ve know run into the Rate Limit. I’ve had to disable SSL on the site.

Please advise


#2

Hi @joeker

the tls-sni-01 challenge is deprecated. So please try

certbot-auto renew --preferred-challenges http

to use the http-01 - validation.

If that doesn’t work, share the content of

/var/log/letsencrypt/letsencrypt.log

#3

Hi JuergenAuer,

I did try that but have hit the Rate Limit:

[root@countrystoveandfireplace letsencrypt]# /root/certbot-auto renew --preferred-challenges http
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/countrystoveandfireplace.com.conf


Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Attempting to renew cert (countrystoveandfireplace.com) from /etc/letsencrypt/renewal/countrystoveandfireplace.com.conf produced an unexpected error: urn:ietf:params:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/rate-limits/. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/countrystoveandfireplace.com/fullchain.pem (failure)


All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/countrystoveandfireplace.com/fullchain.pem (failure)


1 renew failure(s), 0 parse failure(s)


#4

This is only a one-hour - limit, so it’s not really a problem.

You can add certonly --test-cert to your command. So you get a test certificate, the testsystem has it’s own limits. But don’t install it - it’s not valide -> certonly.


#5

Ok I will try in an hour, thank you


#6

Agreed, the first problem is that the cert expired 5 days ago.
Did you receive any email notification that it was expiring? (if not, you should sign up for that)


#7

No I didn’t, that’s correct, I usually do for other domains


#8

UPDATE: the /root/certbot-auto renew --preferred-challenges http command worked. I’ve update the cron job accordingly.

Thank you for your assistance.