Hello. I just had a question regarding the too many certificates already issued for exact set of domains message. I know that by default I can only do 5 per week. My question is when does that counter get reset? Is it the beginning of every week in that it gets reset every Sunday or Monday early in the morning? Is it 1 week after the last successful certificate request? Or is it 1 week after the most recent instance of that alert? Knowing this will let me know when I will be able to implement certbot into a new server I am working on.
It’s a sliding window of 7 days. So you can issue a new certificate when you’ve issued less than 5 certificates the last 7 days (or the last 604800 seconds, depending on how precise you’d want your answer).
May I also remind you of the existence of the staging environment, which should be used if you’re testing software/implementations et cetera?
why is this required? If your configuration works, you create one certificate and use it 60 - 85 days.
If your configuration doesn’t work, you don’t hit that limit.
Basically I am creating a new staging server for a project I just became a part of because the original one made by the person before me wasn’t very well made. It works, but maintenance is difficult to perform. He left shortly before I arrived and I had never worked with these tools before so I’m having to do a lot of learn by doing. What happened is that while creating this, the website wouldn’t connect properly. Not knowing what I do now, I went back to a previous state and went into the certbot setup again. Do this multiple times and the limit gets hit. It is now at a state where this should be the final step of completion for domain redirection. I just want to make sure I’m not unintentionally extending this wait because I’m trying again too soon.
So then it is 7 days after that fifth successful request? And by that logic I am assuming that additional attempts after that that generate the message would not then increase the wait time, correct? As of the staging environment, I was not aware of it as I have not used letsencrypt before fairly recently joining this project I am in. So I was not even aware of this limit until this came up. It is in a sort of “the sooner, the better” type of situation, so I just want to make sure I don’t unintentionally keep this stuck in limbo.
Do you really need to try again soon? You’ve got the certificates, right? Why do you need to get a new one issued? It should be possible to use the previously generated certificates: you’ve got five of them!
No, not entirely. 7 days after your fifth (and therefore last) successful request you’d have zero certificates issued in the past 7 days, so you’d wait unnecessarily long.
For example: if you’d get 1 certificate every day for 5 days (where the certificates are equal), you’d hit this rate limit after the fifth certificate, as expected. But the first duplicate certificate would be already 4 to 5 days old (depending on the time of issuance)! So you’d only have to wait 2 to 3 days to be able to get the same duplicate certificate again.
However, if you got 5 certificates on the same day, you’d have to wait 7 days!
Another example: get 4 certificates on one day, wait 5 days (so it would be the 6th day since the first certificate) and get another one: that would be your fifth certificate and you wouldn’t be able to get a new one. However, a day (and perhaps a few hours) later, those first 4 certificates would fall “out of the window of 7 days” and you’d be able to get 5 (rate limit) minus 1 (the last certificate) equals 4 new duplicate certificates.
So you have to make a backup, so the already created certificates are saved and you can re-use these.
Then you don’t have any problem with “missing certificates”.
All 5 attempts were done on the same day if I recall correctly. The previous state I would go back to would be before setting up certbot and making the certificate request. I’m getting a certificate for a specific domain we use for the staging version of our website to make sure the redirect works correctly. I don’t NEED to try again soon. It’s more of a “the sooner the better” kind of situation. If I have to wait, there is no escaping that. I would just prefer to get in the done column sooner. Thank you very much for your assistance on this.
I will definitely keep this in mind when I am able to do this again. Thank you very much for your assistance with this.
Ah, well, then it’s just waiting for 7 days after that moment then.