Cert Renewal Running Too Often

Help
1

I was recently going through my /etc directory and noticed that my /etc/letsencrypt directory was over 1.2Gb in size. I found 154,723 items in both the keys/ and csr/ directories. There are also 1,012 log files in the /var/log/letsencrypt directory. I might be wrong, but this seems a little excessive.

The log files have a consistent line through them:

WARNING:certbot.renewal:Attempting to renew cert (linuxhomeserver.com) from /etc/letsencrypt/renewal/linuxhomeserver.com.conf produced an unexpected error: urn:ietf:params:acme:error:rateLimited :: There were too many requests of a given type.

I had set up a cron in order to renew the cert every two months (* * * */2 * certbot --force-renewal --quiet --agree-tos), but these messages look like it might be running multiple times per hour. What have I done wrong?

My server is an Ubuntu 16.01.6, running Apache 2.4.18 and Certbot 0.31.0.

2

Hi @SpinXOR

what's your domain name? What says

certbot certificates
3

Domains: linuxhomeserver.com, linuxhomeserver.duckdns.org, www.linuxhomeserver.com www.linuxhomeserver.duckdns.org

I use DuckDNS.org for dynamic DNS, and have a CNAME record with my domain name provider pointing linuxhomeserver.com to linuxhomeserver.duckdns.org.

4

Yep, that looks like an error - https://check-your-website.server-daten.de/?q=linuxhomeserver.com#ct-logs

There are five identical certificates with the same set of domain names:

CertSpotter-Id Issuer not before not after Domain names LE-Duplicate next LE
924357593 CN=Let’s Encrypt Authority X3, O=Let’s Encrypt, C=US 2019-05-21 19:56:43 2019-08-19 19:56:43 linuxhomeserver.com, linuxhomeserver.duckdns.org, www.linuxhomeserver.com, www.linuxhomeserver.duckdns.org
4 entries duplicate nr. 5 next Letsencrypt certificate: 2019-05-28 19:19:24
924345438 CN=Let’s Encrypt Authority X3, O=Let’s Encrypt, C=US 2019-05-21 19:46:38 2019-08-19 19:46:38 linuxhomeserver.com, linuxhomeserver.duckdns.org, www.linuxhomeserver.com, www.linuxhomeserver.duckdns.org
4 entries duplicate nr. 4
924336650 CN=Let’s Encrypt Authority X3, O=Let’s Encrypt, C=US 2019-05-21 19:39:33 2019-08-19 19:39:33 linuxhomeserver.com, linuxhomeserver.duckdns.org, www.linuxhomeserver.com, www.linuxhomeserver.duckdns.org
4 entries duplicate nr. 3
924319742 CN=Let’s Encrypt Authority X3, O=Let’s Encrypt, C=US 2019-05-21 19:29:22 2019-08-19 19:29:22 linuxhomeserver.com, linuxhomeserver.duckdns.org, www.linuxhomeserver.com, www.linuxhomeserver.duckdns.org
4 entries duplicate nr. 2
924294356 CN=Let’s Encrypt Authority X3, O=Let’s Encrypt, C=US 2019-05-21 19:19:24 2019-08-19 19:19:24 linuxhomeserver.com, linuxhomeserver.duckdns.org, www.linuxhomeserver.com, www.linuxhomeserver.duckdns.org
4 entries duplicate nr. 1

That hitted the limit.

But more important: The same block is repeated every week:

2019-05-14 20:14:57
2019-05-07 21:11:58
2019-04-30 22:10:21

Uh - but the reason is simple:

Your cron job uses --force-renewal, that creates a new certificate. Remove that.

certbot renew

should be enough.

5

That doesn't mean what you think it means.

But the recommended cron schedule is twice a day, at a random hour and minute. This gives it a chance to recover in case of a temporary failure. It's safe to run it that frequently because it will only try to renew certificates that are due for renewal (unless you use --force-renewal, which is why that's a bad idea). But once a minute is a bit too frequent, because it will then retry every minute if it fails.

2 Likes
6

You’re right thanks, it looks like it was running every minute of every second month. I have changed it to 0 0 1 */2 *. This should run it once every month, as opposed to 2,678,400 times a month!

1 Like
7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.