I setup a website with a linux server last year.
Certbot cert install was successful.
In Jan 2020, auto renewal was not working but manual renewal #1 was OK.
Today 11 Apr 2020, I tried to do manual renewal #2
I experienced unexpected errors with directory and file behaviour inconsistent with last time, as in names and locations. So I was in problem-solving mode trying and re-trying again and it was hitting me with “FileExistsError” and “FileNotFoundError” even for the same file.
Then came the bad experience: “too many certificates already issued for exact set of domains:” and a link to the docu explaining “You’ll need to wait until the rate limit expires after a week.” The cert has only 3 days left. The website is a community service charity that is even more of a lifeline in the current coronavirus epidemic. Going insecure for 4 days (if that is accurate) is unacceptable in the age of https-everywhere. Therefore the only solution I can see is to buy in a commercial certificate.
I admit that I was slow to remember “lockout” and “dry-run” elements that I may have read about 6 months ago but needed better reminders for.
Here therefore is feedback for improvement so maybe others including my future self can have a better experience:
GIVE FAIR WARNING ON SCREEN
I recommend an on-screen warning message at 5 with a lockout limit at 8.
However if LE continues to insist on lockout at 5 then start warning messages at 3.
CERTBOT NEEDS TO REPORT FAILS BETTER
This was a fail: “FileExistsError” and “FileNotFoundError”. Therefore it should have been a 1 hour lockout rather than a 7 day lockout.
“EXPIRATION NOTICE” REMINDER EMAILS NEED TO GIVE FAIR WARNING OF THESE ISSUES
Especially the “5 strikes and you are out” rule and advice that if a renewal throws an error to start diagnosing with “dry-run”. Wording could also include: “Renewal may have issues on some servers therefore we recommend checking automatic renewal and if necessary running manual renewal at least 2 weeks before expiry”.
More details of my observed certbot behaviour:
I do not want to advertise details of a server with SSL troubles on a public forum. So I will call it xxxxx.yyy
On first obtaining certificates, they were stored in:
/etc/letsencrypt/archive/xxxxx.yyy
Then on renewal #1, they were stored in
/etc/letsencrypt/archive/xxxxx.yyy-0001
That added -0001 directory was strange. There were also “symlinks” in directory “/etc/letsencrypt/live/xxxxx.yyy” that I needed to edit following advice found on “StackOverflow” but I got it to work.
I think it was reasonable of me to expect renewal #2 to create a directory like “xxxxx.yyy-0002” but oh no, certbot returns to its first love of “xxxxx.yyy” and gets confused along with me. I think if I had more attempts (but the detective in me was too late finding out about dry-run) I could have tried renaming directories so that “xxxxx.yyy-0001” became “xxxxx.yyy” which would have given certbot the complete file set to work with.
For future letsencrypt activity I intend to avoid renew and always generate fresh new certs.