Certificates Being Generated without User Awareness - Apparent "Inaccurate" Renewal Emails

We have an OVH server behind CloudFlare running Plesk 12.

Last year, we installed let’s Encrypt SSL on our main domain AppBuzzinga.com - only the one Cert.
And on a couple of sub-domains like deadeasyapps.appbuzzinga.com

It all worked fine for many months.

domain - appbuzzinga.com
command line: no command line, it’s a Plesk interface, certbot isn’t installed
OS and server: Centos7, Plesk 12.5.3 , NGINX & Apache
Dedicated OVH server

All of a sudden, in April we started getting “expiration notices” for Appbuzzinga.com and deadeasyapps.appbuzzinga.com

In Plesk, with the Let’s Encrypt extension, we tried to renew appbuzzinga.com. Got an error, but no error text. (very odd). Tried again, then tried deadeasyapps.appbuzzinga.com, and got this:

Error: Let’s Encrypt SSL certificate installation failed: Invalid response from https://acme-v01.api.letsencrypt.org/acme/new-cert: Error creating new cert :: too many certificates already issued for exact set of domains: deadeasyapps.appbuzzinga.com.
Type: urn:acme:error:rateLimited.

Our setup is slightly different from those of others reporting similar issue.

So we thought we would ask for help. :slight_smile:

Sid B.

Hi @mydragonsoftware,

I don't use or know how to solve your issue with Plesk Let's Encrypt plugin, but your are issuing the same certificates every day since 18th April (maybe you updated or changed somthing that day....)
:

2017/May/25 17:36:02 - Checking certs for appbuzzinga.com

I have found 45 non expired certificates for domain appbuzzinga.com and its subdomains *.appbuzzinga.com

CRT ID     DOMAIN (CN)                   VALID FROM              VALID TO                EXPIRES IN  SANs
144034423  appbuzzinga.com               2017-May-25 15:39 CEST  2017-Aug-23 15:39 CEST  89 days     appbuzzinga.com
                                                                                                     www.appbuzzinga.com
143833039  appbuzzinga.com               2017-May-25 05:00 CEST  2017-Aug-23 05:00 CEST  89 days     appbuzzinga.com
143832860  deadeasyapps.appbuzzinga.com  2017-May-25 05:00 CEST  2017-Aug-23 05:00 CEST  89 days     deadeasyapps.appbuzzinga.com
143252477  appbuzzinga.com               2017-May-24 05:00 CEST  2017-Aug-22 05:00 CEST  88 days     appbuzzinga.com
143252364  deadeasyapps.appbuzzinga.com  2017-May-24 05:00 CEST  2017-Aug-22 05:00 CEST  88 days     deadeasyapps.appbuzzinga.com
142702365  appbuzzinga.com               2017-May-23 05:00 CEST  2017-Aug-21 05:00 CEST  87 days     appbuzzinga.com
142702273  deadeasyapps.appbuzzinga.com  2017-May-23 05:00 CEST  2017-Aug-21 05:00 CEST  87 days     deadeasyapps.appbuzzinga.com
142155230  appbuzzinga.com               2017-May-22 05:00 CEST  2017-Aug-20 05:00 CEST  86 days     appbuzzinga.com
141650993  deadeasyapps.appbuzzinga.com  2017-May-21 05:00 CEST  2017-Aug-19 05:00 CEST  85 days     deadeasyapps.appbuzzinga.com
141133156  appbuzzinga.com               2017-May-20 05:00 CEST  2017-Aug-18 05:00 CEST  84 days     appbuzzinga.com
141132881  deadeasyapps.appbuzzinga.com  2017-May-20 05:00 CEST  2017-Aug-18 05:00 CEST  84 days     deadeasyapps.appbuzzinga.com
140674490  appbuzzinga.com               2017-May-19 05:00 CEST  2017-Aug-17 05:00 CEST  83 days     appbuzzinga.com
140674255  deadeasyapps.appbuzzinga.com  2017-May-19 05:00 CEST  2017-Aug-17 05:00 CEST  83 days     deadeasyapps.appbuzzinga.com
140117909  appbuzzinga.com               2017-May-18 05:00 CEST  2017-Aug-16 05:00 CEST  82 days     appbuzzinga.com
140117709  deadeasyapps.appbuzzinga.com  2017-May-18 05:00 CEST  2017-Aug-16 05:00 CEST  82 days     deadeasyapps.appbuzzinga.com
139562240  appbuzzinga.com               2017-May-17 05:00 CEST  2017-Aug-15 05:00 CEST  81 days     appbuzzinga.com
139561919  deadeasyapps.appbuzzinga.com  2017-May-17 05:00 CEST  2017-Aug-15 05:00 CEST  81 days     deadeasyapps.appbuzzinga.com
138977364  appbuzzinga.com               2017-May-16 05:00 CEST  2017-Aug-14 05:00 CEST  80 days     appbuzzinga.com
138977201  deadeasyapps.appbuzzinga.com  2017-May-16 05:00 CEST  2017-Aug-14 05:00 CEST  80 days     deadeasyapps.appbuzzinga.com
138389570  appbuzzinga.com               2017-May-15 05:00 CEST  2017-Aug-13 05:00 CEST  79 days     appbuzzinga.com
137841952  deadeasyapps.appbuzzinga.com  2017-May-14 05:00 CEST  2017-Aug-12 05:00 CEST  78 days     deadeasyapps.appbuzzinga.com
137261808  deadeasyapps.appbuzzinga.com  2017-May-13 05:00 CEST  2017-Aug-11 05:00 CEST  77 days     deadeasyapps.appbuzzinga.com
136644512  deadeasyapps.appbuzzinga.com  2017-May-12 05:00 CEST  2017-Aug-10 05:00 CEST  76 days     deadeasyapps.appbuzzinga.com
136042054  deadeasyapps.appbuzzinga.com  2017-May-11 05:00 CEST  2017-Aug-09 05:00 CEST  75 days     deadeasyapps.appbuzzinga.com
135384212  deadeasyapps.appbuzzinga.com  2017-May-10 05:00 CEST  2017-Aug-08 05:00 CEST  74 days     deadeasyapps.appbuzzinga.com
134866488  deadeasyapps.appbuzzinga.com  2017-May-09 05:00 CEST  2017-Aug-07 05:00 CEST  73 days     deadeasyapps.appbuzzinga.com
133957819  deadeasyapps.appbuzzinga.com  2017-May-07 05:00 CEST  2017-Aug-05 05:00 CEST  71 days     deadeasyapps.appbuzzinga.com
133535557  deadeasyapps.appbuzzinga.com  2017-May-06 05:00 CEST  2017-Aug-04 05:00 CEST  70 days     deadeasyapps.appbuzzinga.com
133086350  deadeasyapps.appbuzzinga.com  2017-May-05 05:00 CEST  2017-Aug-03 05:00 CEST  69 days     deadeasyapps.appbuzzinga.com
132688079  deadeasyapps.appbuzzinga.com  2017-May-04 05:00 CEST  2017-Aug-02 05:00 CEST  68 days     deadeasyapps.appbuzzinga.com
132276335  deadeasyapps.appbuzzinga.com  2017-May-03 05:00 CEST  2017-Aug-01 05:00 CEST  67 days     deadeasyapps.appbuzzinga.com
131787771  deadeasyapps.appbuzzinga.com  2017-May-02 05:00 CEST  2017-Jul-31 05:00 CEST  66 days     deadeasyapps.appbuzzinga.com
130916419  deadeasyapps.appbuzzinga.com  2017-Apr-30 05:00 CEST  2017-Jul-29 05:00 CEST  64 days     deadeasyapps.appbuzzinga.com
130554901  deadeasyapps.appbuzzinga.com  2017-Apr-29 05:00 CEST  2017-Jul-28 05:00 CEST  63 days     deadeasyapps.appbuzzinga.com
130144817  deadeasyapps.appbuzzinga.com  2017-Apr-28 05:00 CEST  2017-Jul-27 05:00 CEST  62 days     deadeasyapps.appbuzzinga.com
129655651  deadeasyapps.appbuzzinga.com  2017-Apr-27 05:00 CEST  2017-Jul-26 05:00 CEST  61 days     deadeasyapps.appbuzzinga.com
129077003  deadeasyapps.appbuzzinga.com  2017-Apr-26 05:00 CEST  2017-Jul-25 05:00 CEST  60 days     deadeasyapps.appbuzzinga.com
128370257  deadeasyapps.appbuzzinga.com  2017-Apr-25 05:00 CEST  2017-Jul-24 05:00 CEST  59 days     deadeasyapps.appbuzzinga.com
126665921  deadeasyapps.appbuzzinga.com  2017-Apr-23 05:00 CEST  2017-Jul-22 05:00 CEST  57 days     deadeasyapps.appbuzzinga.com
125833429  deadeasyapps.appbuzzinga.com  2017-Apr-22 05:00 CEST  2017-Jul-21 05:00 CEST  56 days     deadeasyapps.appbuzzinga.com
124916592  deadeasyapps.appbuzzinga.com  2017-Apr-21 05:00 CEST  2017-Jul-20 05:00 CEST  55 days     deadeasyapps.appbuzzinga.com
124177034  deadeasyapps.appbuzzinga.com  2017-Apr-20 05:00 CEST  2017-Jul-19 05:00 CEST  54 days     deadeasyapps.appbuzzinga.com
123330498  deadeasyapps.appbuzzinga.com  2017-Apr-19 05:00 CEST  2017-Jul-18 05:00 CEST  53 days     deadeasyapps.appbuzzinga.com
122482341  deadeasyapps.appbuzzinga.com  2017-Apr-18 05:00 CEST  2017-Jul-17 05:00 CEST  52 days     deadeasyapps.appbuzzinga.com
104350239  appbuzzinga.com               2017-Mar-16 04:00 CET   2017-Jun-14 05:00 CEST  19 days     appbuzzinga.com
                                                                                                     www.appbuzzinga.com

And yes, you have reache the limit of 5 certs using the same subset of domains. Maybe you should contact to Plesk support team.

Good luck,
sahsanu

Thanks much for the reply. What tool did you use to get that list?

According to our work logs, nothing was done on that day, or the day before or the day after. The last changes/work done to server were April 14. Minor changes to php.ini We did do some updates to wordpress the beginning of May. So I am at a loss as well.

I admit I have a hard time following that “limit” of “5 certs using the same subset of domains” - why would renewing the SAME cert cause an error. How could that qualify as a new cert?

We also plan to add about 100 subdomains to appbuzzinga this summer. Does that mean 95 can’t use SSL?

Please excuse my ignorance, but certs are not my forte’ :slight_smile:
Sid B.

Each renewal is a new certificate, and if you actively renew 5 times, there will have been 5 identical certificate issuances.

Could be a problem, depending on your issuance strategy. I would suggest looking over

If you don't understand something there, please feel free to ask questions here and we can try to help explain.

If they're all subdomains under the same domain, that can definitely be a problem if you are going to add (or remove) them gradually and re-issue certificates periodically. If they're all completely separate domains, you're unlikely to run into rate limits quickly.

Most of the rate limits are related to certificate issuance events (which are related to HSM signing events which are actually the scarce resource), so if you can find a strategy that minimizes the frequency of certificate issuance events, you're likely to be on safer rate-limit ground. But it's good to look through the whole document to understand what all of the rate limit policies are.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.