Certificate renewal from the starting point

Hello.

If I installed a certificate for example 01/01/2013 and made a backup of the “/etc/letsencrypt” folder.

Then for many years, I regularly updated the certificate, until 01/01/2020, but did not backup.

Can I renew the certificate using the backup that was made on 01.01.2013?

My domain is: https://fimlsgreat.tk/

1 Like

Can you be more precise?

Let’s Encrypt didn’t exist in 2013.

Your domain seems to have had two certificates issued ever, both within the last week.

What’s the actual situation you’re asking about?

For most ACME clients – including Certbot – reverting to a backup and running their renewal command will probably work.

If you revert to a 7 year old backup, some software may have made backwards incompatible changes in the intervening years.

Be mindful of the Let’s Encrypt rate limits:

2 Likes

If you revert to a 7 year old backup, some software may have made backwards incompatible changes in the intervening years.

Thank you for your answer!

I correctly understood that it is possible to install 50 certificates per week on one domain? If yes, then I do not need to backups.

1 Like

50 certificates for new sets of names.

Some of the other rate limits may be more of a concern.

If you’re running some kind of containerized environment, you should certainly save your Let’s Encrypt data to persistent storage, especially if you blow the containers away every time new commits are pushed or something.

But it’s true that losing everything occasionally is not usually a big deal and you don’t have to worry that much about your backups.

2 Likes

50 certificates for new sets of names.

This means that, for example, this domain https://fimlsgreat.tk/ has a limit of 50 new certificates per week?

If you’re running some kind of containerized environment, you should certainly save your Let’s Encrypt data to persistent storage, especially if you blow the containers away every time new commits are pushed or something.

I do not use containerized environment, I use VirtualBox to set up the environment development.
When the development environment will have been configured, the certificate will only be updated.

To set up a development environment, I need about 10 certificates per week. I use the cache, and I don’t have to install the certificate every time.

1 Like

If you want separate certificates for one.fimlsgreat.tk, two.fimlsgreat.tk, three.fimlsgreat.tk, then the first limit you’ll hit will be the Certificates Per Registered Domain limit, which would stop you at fifty.fmlsgreat.tk.

If you want to request certificates for the same domain fimlsgreat.tk itself (for example, with different subject public keys), the first limit you’ll hit will be the Duplicate Certificate limit, which would stop you at the fifth such certificate.

The application of these two limits depends on whether the list of names covered by the new certificates is the same or different.

2 Likes

Yes, I’m interested in request certificates for the same domain fimlsgreat.tk

Can I find out when I reach the limit of duplicate certificates?
Do i can get count/numbers of created sertifications for a domain? Or Can I get a number limit?

I use CertBot.

There is currently no API or interface to find out about the duplicated certificates. Some of the online debugging tools that people have made here like https://letsdebug.net/ and https://check-your-website.server-daten.de/ may be able to make a guess based on Certificate Transparency data. Overall, Let’s Encrypt users are expected to take precautions themselves to avoid hitting issuance rate limits.

Is there some reason that you need to create duplicative certificates instead of re-using an existing certificate? A certificate with its matching private key can be used on an unlimited number of machines; you don’t need a separate or distinctive server per-machine.

2 Likes

Is there some reason that you need to create duplicative certificates instead of re-using an existing certificate? A certificate with its matching private key can be used on an unlimited number of machines; you don’t need a separate or distinctive server per-machine.

Aging backup.

As example:

2020 y. I save backup of certification.

CertBot renew certificates automatically before they expire. Not doing backup.

2023 y. I am changing my server (VDS) and I need a backup. I take a backup that was created in 2020. But this backup may no longer work? I can not restore the certificate from the backup on the server?

1 Like

It’s true that a certificate backup from 2020 won’t work in 2023 due to expiration of the certificate, but I wonder if you have some misconceptions about Let’s Encrypt’s certificates.

Each Let’s Encrypt certificate is only valid for 90 days. Each renewal simply involves replacing a copy of the old certificate with a copy of a freshly-issued certificate (with the same domain name coverage). The rate limit we’re discussing resets after just one week.

There’s no way that any particular certificate issuance or backup strategy could directly allow you to use old Let’s Encrypt certificates from a backup that’s more than 90 days old, since no such backup could contain a Let’s Encrypt certificate with ongoing validity.

3 Likes

The duplicate certificate rate limit prevents you from creating more than 5 duplicate certificates within 1 week. Creating 1-2 duplicate certificates is obviously less than 5, so it’s fine.

The new orders rate limit means that will take time to renew hundreds of certificates, but you can do it.

3 years from now, Let’s Encrypt might have looser rate limits, though!

You should take more frequent backups, though. Installing 3 years of software updates is probably a pain.

2 Likes

I will try not to exceed the limit on request new certificates.

Thank you very much!

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.