Certifiacate generation is not possible any more


#1

Hello community,

greetings !!

Last week, I installed letsencrypt from github on a rremote linux server and created some certificated for domain and its sub-domains. There was a messed up somehow so I cleaned the letsencrypt from system by removing /etc/letsencrypt /var/log/letsencrypt etc …

After cloning again, now it is not possible to regenerate the certificates any more as it throws a warning as below

An unexpected error occurred:
There were too many requests of a given type :: Error creating new cert :: Too many certificates already issued for: <domain name>

How can I fix this ?

Thanks


#2

The only way is to wait I’m afraid. The limit is 5 certs/domain/week (7 days)

So if it was last week, you won’t have to wait long.


#3

Thanks for the update. I have also tried with old letsencrypt certificate from backup. But both chrome and firefox browsers report non trusted certificate. Any way to fix this issue ?


#4

Make sure you are serving the intermediate certificate (e.g. fullchain.pem). You can verify this with SSL Labs, which will point out a couple of other possible mistakes too. If you can’t find anything obvious, would you mind sharing your site so we can take a look at the certificate?


#5

The fullchain.pem is already there

SSLCertificateFile /etc/letsencrypt/live/<domain-name>/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/<domain-name>/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateChainFile /etc/letsencrypt/live/<domain-name>/chain.pem

Apache/2.4.7 on ubuntu


#6

The certificate you’re using was generated by the staging (test) CA server. You probably passed --staging, --test-cert or something similar to the client. To get a fully-trusted certificate from the production CA server, don’t use either of those options when you’re calling the letsencrypt command.


#7

Thanks for the pointer but I remember I have not passed such argument. Rather I used letsencrypt -auto command. Can you suggest how can I fix this issue now ?


#8

Search your backup of /etc/letsencrypt for a cert.pem for your domain issued by Let's Encrypt Authority X1.


#9

Take a look at /etc/letsencrypt/cli.ini, it’s possible that you specified the staging server in there. If there’s a line like:

# Always use the staging/testing server
server = https://acme-staging.api.letsencrypt.org/directory

Then you’re using the staging server. You’ll want to use https://acme-v01.api.letsencrypt.org/directory instead.

You mentioned running into the rate limits, which is unlikely on the staging server, so you probably have generated valid certs at some point. Take a look around in your /etc/letsencrypt folder (or any backups) and try finding other certificates that might have been issued by the correct CA.


#10

certificate is already available at /etc/letsencrypt/live//

cert.pem chain.pem fullchain.pem privkey.pem

BUT no cli.ini available

ls: cannot access /etc/letsencrypt/cli.ini: No such file or directory

unfortunately the backup available is the only backup for letsencrypt, hence need your guidance to fix the issue.

Thanks


#11

If those files are the only files you have left, there’s not much you can do for now. They were issued by the testing CA and unless you find the ones issued by the production CA, you’ll have to wait till the rate limit window expires in a few days, and then re-issue the certificates with the same commands you used initially.


#12

Hi @bakshi, you can check which CA the cert was issued by by running

openssl x509 -in cert.pem -issuer -noout

That will clearly distinguish between a cert issued by the test CA and one issued by the production (live) CA.


#13

Hi @schoen

Thanks…

I get this

openssl x509 -in cert.pem -issuer -noout
issuer= /CN=happy hacker fake CA


#14

@pfg’s guess was right and the one that you have there was issued by the test CA, not the production CA. This test CA cert isn’t really useful for any purpose, because you can’t use it for live serving of your site and you can’t use it for revocation. Do you have any other cert.pem elsewhere in your backup?


#15

@schoen no more cert.pem is available :frowning:
Ca’t we create this cert.pem overriding rate limit ?


#16

There’s no way to bypass the rate limit. You will have to wait a few days, depending on when you issued the certificates.