Certificate attribution failed with Heroku

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: blackflakes.com / www.blackflakes.com

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is: Heroku

I can login to a root shell on my machine (yes or no, or I don't know): idk

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Hello,

I published a React website on Heroku and I linked it with the domain : www.blackflakes.com
But I encountered a problem when I tried to get an SSL certificate by using Heroku ACM.

The process failed.
Since I can access the website by using my domain, I deduced that the configuration with my DNS provider (OVH) is good.
Into their documentation, Heroku mentions that, if the problem isn't due to the DNS configuration, the rate limit set by Let's Encrypt can caused this issue.

I checked the certificate issuance history of the domain here: crt.sh | blackflakes.com
As you can see, since yesterday 14 certificates have been issued.
As I had a lot of problems with Heroku and my DNS provider I did many interactions on the Heroku dashboard so it's certainly because of that.

My questions are the following:

  • May the rate limit set by Let's Encrypt be responsible for the "failed" output from Heroku?
  • How long is the period to wait before be again able to generate a new certificate?
  • Is the domain blacklisted / blocklisted by Let's Encrypt?
  • Is it possible to deblock the situation?

Thanks by advance for your help.

Aurélien

Could be. There are 5 duplicate certificates for www.blackflakes.com, so you can't get another certificate with that exact same set of hostnames. (Note that crt.sh by default also lists pre-certificates unless you use the "deduplicate" option.)

Please see the rate limit documentation at Rate Limits - Let's Encrypt

Most likely not.

Rate limits can't be deblocked.

3 Likes

Thanks for the rapide feedback!

Is there a way to retrieve on my own one of the emitted certificates or must I wait the rate limit expiration in a week?

Aurélien

1 Like

The certificates are public and can be downloaded from the crt.sh site for example. However, certificates are useless without the corresponding private keys which are, well, private.

If you want to have another, sixth, certificate with just the hostname www.blackflakes.com in it, you have to wait a week.

3 Likes

The crt.sh display can be misleading. Each cert has a "precert" and a "leaf". Each set only counts as 1 towards the LE rate limit. You can use deduplicate option to see better

You have not issued any LE certs that have both your apex name and the www subdomain. If Heroku allows it you could combine them into one right now. Review the rate limit work-around section for details.

6 Likes

Oh nice thanks for the explanations!

I don't know why but Heroku doesn't allow that (if I don't misunderstand a thing).
I will wait a week to be able to generate a new cert by using their Heroku ACM tool, maybe not the cleanest way to manage certs but simpler to me.

Have a good day guys!
Thanks for the help

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.