Certificate ratelimit

My domain is:
zvuk.com, *.zvuk.com and some others

I ran this command:
certbot certonly --dns-rfc2136 --dns-rfc2136-credentials ~/rfc2136.ini -d zvuk.com -d *.zvuk.com

It produced this output:
There were too many requests of a given type :: Error creating new order :: too many certificates already issued for exact set of domains: *.zvuk.com,zvuk.com: see Rate Limits - Let's Encrypt - Free SSL/TLS Certificates

My web server is (include version):
doesn't matter

The operating system my web server runs on is (include version):
ubuntu-16.04 (docker), ubuntu 20.04 (docker)

I can login to a root shell on my machine (yes or no, or I don't know):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
0.31.0 / 0.40.0

The point is I am running this command every month to get new certificates, but for some reasons I am getting ratelimit warning, which is 5 per week. Last time certificates updated 4.01.2021, after that there was no successful updates and now I got certificate expiration warning. I have multiple domains and used same command for every pair $DOMAIN *.$DOMAIN - and now I can get certificate only for newest domain that was added some time after implementing ssl autoupdate.

Right now I updated my docker container from ubuntu 16.04 to 20.04 and updated certbot version - same error. Also tried to run this command on other server with different IP and creating different account - same result. Seems like there is not only 5 per week, but also something like 10 per year or something like that?
I need help with that, 28 days left :slight_smile:

Hello @vversh,

No, there isn't a limit like 10 per year, the rate limit you have reached is 5 certificates using the same subset of domains per 7 days. Something happened on your side on 4th March and you issued 5 certificates from 07:25 AM UTC to 07:33 AM UTC.

CRT_ID      CA  CERT_TYPE   DOMAIN_(CN)  KEY_ALG      VALID_FROM             VALID_TO               EXPIRES_IN  SANs
4160738363  R3  Final cert  zvuk.com     RSA 2048bit  2021-Mar-04 06:33 UTC  2021-Jun-02 06:33 UTC  85 days     *.zvuk.com
4160732504  R3  Final cert  zvuk.com     RSA 2048bit  2021-Mar-04 06:32 UTC  2021-Jun-02 06:32 UTC  85 days     *.zvuk.com
4160726192  R3  Final cert  zvuk.com     RSA 2048bit  2021-Mar-04 06:30 UTC  2021-Jun-02 06:30 UTC  85 days     *.zvuk.com
4160720323  R3  Final cert  zvuk.com     RSA 2048bit  2021-Mar-04 06:28 UTC  2021-Jun-02 06:28 UTC  85 days     *.zvuk.com
4160711390  R3  Final cert  zvuk.com     RSA 2048bit  2021-Mar-04 06:25 UTC  2021-Jun-02 06:25 UTC  85 days     *.zvuk.com
4121292170  R3  Final cert  go.zvuk.com  RSA 2048bit  2021-Feb-23 15:48 UTC  2021-May-24 15:48 UTC  77 days     go.zvuk.com
4021024405  R3  Final cert  zvuk.com     RSA 2048bit  2021-Feb-02 16:34 UTC  2021-May-03 16:34 UTC  56 days     *.zvuk.com
4021012686  R3  Final cert  zvuk.com     RSA 2048bit  2021-Feb-02 16:31 UTC  2021-May-03 16:31 UTC  56 days     *.zvuk.com
3901323067  R3  Final cert  l.zvuk.com   RSA 4096bit  2021-Jan-09 10:49 UTC  2021-Apr-09 10:49 UTC  31 days     l.zvuk.com
3874758143  R3  Final cert  zvuk.com     RSA 2048bit  2021-Jan-04 06:24 UTC  2021-Apr-04 06:24 UTC  26 days     *.zvuk.com
3757985869  R3  Final cert  go.zvuk.com  RSA 2048bit  2020-Dec-09 16:48 UTC  2021-Mar-09 16:48 UTC  1 day       go.zvuk.com

You should review the automation you are using to renew your certificates because seems it is not working as expected or something happened that day.

Note: The next time you could issue a new certificate covering the same subset of domains will be 11th March 07:25 UTC.


1 Like

Thanks a lot.

Yeah, it seems something went wrong with cloudflare dns/auth and nomad tried to start failed task with domains list over and over again. Definitely need to improve this behaviour and at least add logging.

1 Like

Fixed issue with our automation and dns, got new certificates, everything is fine now, should I close this ticket somehow?

1 Like

Glad to hear that. If you want you can select any post and mark it as the solution for this thread but there is no need to close it, it will be closed automatically a month after last reply.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.