Certificate renew rate-limiting

As far as I can tell this is the correct sub-forum for this kind of question, sorry if it’s not.

I have a certificate which is now 115 Days out of date and I’m not able to update it due to being rate-limited, however I’m running what could be considered a non-standard config; however I will start with the output that I recieve from running “systemctl status acme-willanderson.xyz”

Dec 28 10:33:35 citalopram simp_le[21221]: “type”: “urn:ietf:params:acme:error:rateLimited”,
Dec 28 10:33:35 citalopram simp_le[21221]: “detail”: “Error creating new order :: too many certificates already issued for exact set of domains: willanderson.xyz: see https://letsencrypt.org/docs/rate-limits/”,
Dec 28 10:33:35 citalopram simp_le[21221]: “status”: 429
Dec 28 10:33:35 citalopram simp_le[21221]: }
Dec 28 10:33:35 citalopram simp_le[21221]: ACME server returned an error: urn:ietf:params:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new order :: too many certificates already issued for exact set of domains: willanderson.xyz: see https://letsencrypt.org/docs/rate-limits/

The certificate in question is for “willanderson.xyz”

This is where my setup is stranger than most, I use NixOS and handle 6 certificates declaratively, the webserver in use is nginx and it’s not on a hosting provider.

All 6 domains (And their certificates) are configured behind reverse proxies that are managed like this.

 services.nginx.virtualHosts."willanderson.xyz" = {
addSSL = true;
enableACME = true;
root = "/web";
  };

As far as I can tell NixOS Uses simp_le as a client as well as trying to update all of the certificates at once upon rebuilds if that part of the config file has changed.

Steps taken to reduce amount of "spam"
Commenting out all other domains and thus stopping their timers and services.

Link to crt.sh https://crt.sh/?q=willanderson.xyz
Now, that looks like it’s way too many however it’s been enough time that the 7 day rate limit I think I’m imposing on to have expired and me to be able to request this cert as it’s the only one that isn’t working.

If I’m missing something feel free to tell me and sorry for what feels like a rambly post, I’ve been up way too long.

1 Like

Hi @Barrel

crt.sh currently doesn't work. Read

My tool "check your website" uses Certspotter + crt.sh - https://check-your-website.server-daten.de/?q=willanderson.xyz

There you see your rate limit:

Issuer not before not after Domain names LE-Duplicate next LE
Let's Encrypt Authority X3 2019-12-28 2020-03-27 willanderson.xyz - 1 entries duplicate nr. 5 next Letsencrypt certificate: 2019-12-29 23:34:12
Let's Encrypt Authority X3 2019-12-28 2020-03-27 willanderson.xyz - 1 entries duplicate nr. 4
Let's Encrypt Authority X3 2019-12-28 2020-03-27 willanderson.xyz - 1 entries duplicate nr. 3
Let's Encrypt Authority X3 2019-12-28 2020-03-27 willanderson.xyz - 1 entries duplicate nr. 2
Let's Encrypt Authority X3 2019-12-22 2020-03-21 willanderson.xyz - 1 entries duplicate nr. 1
Let's Encrypt Authority X3 2019-12-15 2020-03-14 willanderson.xyz - 1 entries

So you have hitted the limit.

Use one of these certificates and install it manual.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.