Changing from wildcard cert to simple cert triggers rate limit failure

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

100s of domains failing. https://DavidFavor.com is 1x example.

I ran this command:

/snap/bin/certbot certonly --no-self-upgrade --non-interactive --rsa-key-size 4096 --email david@davidfavor.com --agree-tos --webroot -w /sites/david-favor/davidfavor.com/htdocs -d davidfavor.com -d www.davidfavor.com

It produced this output:

There were too many requests of a given type :: Error creating new order :: too many certificates already issued for exact set of domains: davidfavor.com,www.davidfavor.com: see https://letsencrypt.org/docs/rate-limits/

My web server is (include version):

lxd: net13-david-favor # apachectl -V | head
Server version: Apache/2.4.46 (Ubuntu)
Server built: 2020-08-10T12:32:13
Server's Module Magic Number: 20120211:93
Server loaded: APR 1.7.0, APR-UTIL 1.6.1
Compiled using: APR 1.6.5, APR-UTIL 1.6.1
Architecture: 64-bit
Server MPM: event
threaded: yes (fixed thread count)
forked: yes (variable process count)
Server compiled with....

The operating system my web server runs on is (include version):

lxd: net13-david-favor # lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 20.04.1 LTS
Release: 20.04
Codename: focal

My hosting provider, if applicable, is:

OVH dedicated machines.

I can login to a root shell on my machine (yes or no, or I don't know):

Yes.

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

No.

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

lxd: net13-david-favor # snap list certbot
Name Version Rev Tracking Publisher Notes

lxd: net13-david-favor # certbot --version

certbot 1.11.0

Note: I require a workaround, because moving from APT certbot to SNAP certbot causes all wildcard domain renewals to fail (I'll debug this later under another ticket).

So I'm trying to fallback to simple certs.

Unfortunately I made the horrible mistake of doing an apt-get purge certbot, which destroyed all /etc/letsencrypt files.

So now I have only a few days to change all certs before many sites start dying.

I'm command line savvy, so anyone with a work around, let me know how to generate simple certs... else I'm in deep trouble in a few days.

Many thanks.

Please show the output of:
certbot certificates

Hi @davidfavor,

How did this (issuing five certificates for these names) happen? Where did those other certificates go?

Did you run certbot renew --force-renewal four times right before your apt-get purge certbot or something?

The error message that you're seeing is from the Let's Encrypt CA, not generated by Certbot itself (Certbot is just reporting it). It refers to a CA-wide policy on duplicate certificate issuance:

So, there is no Certbot option to override this or anything.

The two workarounds that I see are:

  • Reorganize your certificates so that the names you're requesting on each certificate are no longer exactly the same as prior certificates (e.g. combining or splitting existing certificates so that their name coverage is different from old certificates, or adding an additional subdomain to each)

  • Use a different ACME CA, like ZeroSSL or BuyPass

As mentioned above the entire /etc/letsencrypt directory structure is destroyed during an apt-get purge, so there are 0 certs... on machine where wildcard certs were being generated.

lxd: net14-dns-ns11-focal # certbot certificates

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
No certificates found.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

After waiting 12h with no cert generation attempts, in the container where the site actually lives...

Listing certs shows many certs + non related to any host with a problem... so...

lxd: net13-david-favor # certbot certificates 2>&1 | paragrep davidfavor.com
lxd: net13-david-favor # 

As mentioned above this occurs for any domain (I have many with the exact same problem), once a wildcard exists, attempting to create a simple cert fails with the above rate limit error.

You're correct about this being a LetsEncrypt CA problem.

What I'm asking is any way to fix this.

If there's another place to open a ticket against the LetsEncrypt CA, let me know.

Do you save the certificate outside of the container? Or, will the data inside the container be scratched at container restart?

Hi @davidfavor

I don't see a Letsencrypt problem.

First, you have created 5 identical certificates - https://check-your-website.server-daten.de/?q=davidfavor.com#ct-logs

Issuer not before not after Domain names LE-Duplicate next LE
R3 2021-01-19 2021-04-19 davidfavor.com, www.davidfavor.com - 2 entries duplicate nr. 5
R3 2021-01-19 2021-04-19 davidfavor.com, www.davidfavor.com - 2 entries duplicate nr. 4
R3 2021-01-19 2021-04-19 davidfavor.com, www.davidfavor.com - 2 entries duplicate nr. 3
R3 2021-01-19 2021-04-19 davidfavor.com, www.davidfavor.com - 2 entries duplicate nr. 2
R3 2021-01-19 2021-04-19 davidfavor.com, www.davidfavor.com - 2 entries duplicate nr. 1
Let's Encrypt Authority X3 2020-10-31 2021-01-29 davidfavor.com, www.davidfavor.com - 2 entries
Let's Encrypt Authority X3 2020-10-31 2021-01-29 *.davidfavor.com, davidfavor.com - 2 entries

So you have hitted the limit, that's a waste of resources.

Second: If you have deleted these certificates local, it's a local problem (may be a problem switching from one to another installation method).

Third: One of your name servers is buggy, net11.wpfastsites.com doesn't answer. May be the reason you can't create a wildcard.

2 Likes

When did this happen? Before or after you issued the five non-wildcard certificates?

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.