Certifiacate generation is not possible any more

bakshi · December 28, 2015, 12:38pm

Hello community,

greetings !!

Last week, I installed letsencrypt from github on a rremote linux server and created some certificated for domain and its sub-domains. There was a messed up somehow so I cleaned the letsencrypt from system by removing /etc/letsencrypt /var/log/letsencrypt etc …

After cloning again, now it is not possible to regenerate the certificates any more as it throws a warning as below

An unexpected error occurred:
There were too many requests of a given type :: Error creating new cert :: Too many certificates already issued for: <domain name>

How can I fix this ?

Thanks

serverco · December 28, 2015, 12:44pm

The only way is to wait I’m afraid. The limit is 5 certs/domain/week (7 days)

So if it was last week, you won’t have to wait long.

bakshi · December 28, 2015, 1:07pm

Thanks for the update. I have also tried with old letsencrypt certificate from backup. But both chrome and firefox browsers report non trusted certificate. Any way to fix this issue ?

pfg · December 28, 2015, 1:10pm

Make sure you are serving the intermediate certificate (e.g. fullchain.pem). You can verify this with SSL Labs, which will point out a couple of other possible mistakes too. If you can’t find anything obvious, would you mind sharing your site so we can take a look at the certificate?

bakshi · December 28, 2015, 1:17pm

The fullchain.pem is already there

SSLCertificateFile /etc/letsencrypt/live/<domain-name>/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/<domain-name>/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateChainFile /etc/letsencrypt/live/<domain-name>/chain.pem

Apache/2.4.7 on ubuntu

pfg · December 28, 2015, 1:19pm

The certificate you’re using was generated by the staging (test) CA server. You probably passed --staging, --test-cert or something similar to the client. To get a fully-trusted certificate from the production CA server, don’t use either of those options when you’re calling the letsencrypt command.

bakshi · December 28, 2015, 1:43pm

Thanks for the pointer but I remember I have not passed such argument. Rather I used letsencrypt -auto command. Can you suggest how can I fix this issue now ?

Osiris · December 28, 2015, 1:46pm

Search your backup of /etc/letsencrypt for a cert.pem for your domain issued by Let's Encrypt Authority X1.

pfg · December 28, 2015, 1:50pm

Take a look at /etc/letsencrypt/cli.ini, it’s possible that you specified the staging server in there. If there’s a line like:

# Always use the staging/testing server
server = https://acme-staging.api.letsencrypt.org/directory

Then you’re using the staging server. You’ll want to use https://acme-v01.api.letsencrypt.org/directory instead.

You mentioned running into the rate limits, which is unlikely on the staging server, so you probably have generated valid certs at some point. Take a look around in your /etc/letsencrypt folder (or any backups) and try finding other certificates that might have been issued by the correct CA.

bakshi · December 28, 2015, 1:55pm

certificate is already available at /etc/letsencrypt/live//

cert.pem chain.pem fullchain.pem privkey.pem

BUT no cli.ini available

ls: cannot access /etc/letsencrypt/cli.ini: No such file or directory

unfortunately the backup available is the only backup for letsencrypt, hence need your guidance to fix the issue.

Thanks

pfg · December 28, 2015, 1:59pm

If those files are the only files you have left, there’s not much you can do for now. They were issued by the testing CA and unless you find the ones issued by the production CA, you’ll have to wait till the rate limit window expires in a few days, and then re-issue the certificates with the same commands you used initially.

schoen · December 28, 2015, 1:59pm

Hi @bakshi, you can check which CA the cert was issued by by running

openssl x509 -in cert.pem -issuer -noout

That will clearly distinguish between a cert issued by the test CA and one issued by the production (live) CA.

bakshi · December 28, 2015, 2:04pm

Hi @schoen

Thanks…

I get this

openssl x509 -in cert.pem -issuer -noout
issuer= /CN=happy hacker fake CA

schoen · December 28, 2015, 2:10pm

@pfg’s guess was right and the one that you have there was issued by the test CA, not the production CA. This test CA cert isn’t really useful for any purpose, because you can’t use it for live serving of your site and you can’t use it for revocation. Do you have any other cert.pem elsewhere in your backup?

bakshi · December 28, 2015, 2:13pm

@schoen no more cert.pem is available
Ca’t we create this cert.pem overriding rate limit ?

pfg · December 28, 2015, 2:17pm

There’s no way to bypass the rate limit. You will have to wait a few days, depending on when you issued the certificates.