Certificate rate limits help

Help
#1

Hello there,

We are trying to use the swag bundle in google cloud to generate wildcard certificates.
There have been issues whilst setting up the configuration, and we hit the rate limits for the domain.
Currently we are locked out, and cannot move forwards until the week expires for the current limit.
The error thrown for the certificate request is;
"too many certificates already issued for exact set of domains"

Is there any way we can increase or reset the limit?

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
*.ci-dev.digeplan.io

I ran this command:
not sure what the command is as this is encapsulated in the swag/nginx bundle
linuxserver/swag:1.8.0-ls12

It produced this output:
"too many certificates already issued for exact set of domains"

My web server is (include version):
linuxserver/swag:1.8.0-ls12

The operating system my web server runs on is (include version):
GC - Container-Optimised OS with Containerd (cos_containerd)

My hosting provider, if applicable, is:
Google Cloud

I can login to a root shell on my machine (yes or no, or I don't know):
I don't know

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

not sure what version is running as part of the package

1 Like
#2

Hi @dmcpayne

that's not required. You have created certificates

so use one of these 60 - 85 days, then create the next.

It's a waste of resources creating so much certificates.

Hitting that limit

is always the wrong way using Letsencrypt.

1 Like
#3

Hello JuergenAuer,

Thank you for your response - I appreciate you taking the time.

We are just starting out on this journey using certificate automation, and are learning.

The reason we have generated so many certificates to date is that we hadn't stored the certificate in a persistent volume. So each time the service re-started, a new certificate was generated, and we don't have any back-ups.
We had some config issues that have been a little 'trial and error' to date as our understanding builds.

We are now are trying to ensure the cert is stored but can't test the updated implementation until the rate limits reset in 2 days time.

In the meantime, we're a bit stuck.
Is there anything we can do that can help us out just now, or do we need to wait until the limit releases.

Cheers for now,
Drew

1 Like
#4

If you're trying to test your integration, you can use the staging environment which has much higher rate limits.

3 Likes
#5

Hello @dmcpayne,

As @petercooperjr said, you should use staging if you are only testing the procedure to get a certificate.

Anyway, if you want to avoid the rate limit "too many certificates already issued for exact set of domains", just add one domain to your cert, ci-dev.digeplan.io, *.ci-dev.digeplan.io and for example www.ci-dev.digeplan.io and you should be able to create a new certificate right now.

P.D. Gently reminder... use staging for your cert tests :wink:

Cheers,
sahsanu

#6

Thanks sahsanu,

Appreciate the gentle reminder - we have been using the staging for cert validation following this incident, but we can't seem to access the system at all when we use this.

I need to do a bit more research, as it appears the nginx server that forms part of the linuxserver/swag docker component does not start without a valid certificate - don't know if this concern is valid..?

So although we can see the cert is issued, and check it is saved in a pv, we can't test the rest of the system in this chain.
Unless.. we've got something wrong - which, to be fair, isn't unlikely :wink:

Thanks again,
Drew

1 Like
#7

Hello again,

Does anyone have experience with the linuxserver/docker-swag component?
We're using google cloud DNS plugin, but keep getting the following error;

ERROR: Cert does not exist! Please see the validation error above. Make sure you entered correct credentials into the /config/dns-conf/google.json file.

This is the current configuration we're using;

        - name: PUID
              value: "1000"
            - name: PGID
              value: "1000"
            - name: TZ
              value: "Europe/London"
            - name: URL
              value: "ci-dev.digeplan.io."
            - name: SUBDOMAINS
              value: "wildcard" 
            - name: VALIDATION
              value: "dns" 
            - name: EMAIL
              value: "email@domain.com" 
            - name: ONLY_SUBDOMAINS
              value: "false"
            - name: STAGING
              value: "true"
            - name: DNSPLUGIN
              value: "google"                      
          volumeMounts:
          - name: le-ssl
            mountPath: "/config/"
            readOnly: false
          - name: letsencrypt-config
            mountPath: "/config/nginx/site-confs/app.config"
            readOnly: true
            subPath: app.config
          - name: letsencrypt-config
            mountPath: "/config/dns-conf/google.json"
            readOnly: false
            subPath: google.json

The certificate is generated, the DNS is updated, challenged etc, so really not sure what's happening here?

BTW: we're using the staging environment :wink:

Thanks in advance,
Drew

#8

Just to update this ticket, as we finally found the issue.

The application config is applied through terraform, and the variable used for the URL domain value (shown in the config above) added a '.' at the end of the URL..

This meant that the correct certificate was not found.

Thanks for all the help to date.

Cheers for now,
Drew

1 Like
#9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.