Last week, I installed letsencrypt from github on a rremote linux server and created some certificated for domain and its sub-domains. There was a messed up somehow so I cleaned the letsencrypt from system by removing /etc/letsencrypt /var/log/letsencrypt etc …
After cloning again, now it is not possible to regenerate the certificates any more as it throws a warning as below
An unexpected error occurred:
There were too many requests of a given type :: Error creating new cert :: Too many certificates already issued for: <domain name>
Thanks for the update. I have also tried with old letsencrypt certificate from backup. But both chrome and firefox browsers report non trusted certificate. Any way to fix this issue ?
Make sure you are serving the intermediate certificate (e.g. fullchain.pem). You can verify this with SSL Labs, which will point out a couple of other possible mistakes too. If you can’t find anything obvious, would you mind sharing your site so we can take a look at the certificate?
The certificate you’re using was generated by the staging (test) CA server. You probably passed --staging, --test-cert or something similar to the client. To get a fully-trusted certificate from the production CA server, don’t use either of those options when you’re calling the letsencrypt command.
Thanks for the pointer but I remember I have not passed such argument. Rather I used letsencrypt -auto command. Can you suggest how can I fix this issue now ?
Take a look at /etc/letsencrypt/cli.ini, it’s possible that you specified the staging server in there. If there’s a line like:
# Always use the staging/testing server
server = https://acme-staging.api.letsencrypt.org/directory
Then you’re using the staging server. You’ll want to use https://acme-v01.api.letsencrypt.org/directory instead.
You mentioned running into the rate limits, which is unlikely on the staging server, so you probably have generated valid certs at some point. Take a look around in your /etc/letsencrypt folder (or any backups) and try finding other certificates that might have been issued by the correct CA.
If those files are the only files you have left, there’s not much you can do for now. They were issued by the testing CA and unless you find the ones issued by the production CA, you’ll have to wait till the rate limit window expires in a few days, and then re-issue the certificates with the same commands you used initially.
@pfg’s guess was right and the one that you have there was issued by the test CA, not the production CA. This test CA cert isn’t really useful for any purpose, because you can’t use it for live serving of your site and you can’t use it for revocation. Do you have any other cert.pem elsewhere in your backup?