Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
It produced this output: too many certificates issued
My web server is (include version): Apache 2.4.29
The operating system my web server runs on is (include version): Ubuntu Server 18.04.1 LTS
My hosting provider, if applicable, is: n/a
I can login to a root shell on my machine (yes or no, or I don’t know): Yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): Webmin and SSH. Mostly shell for configuration.
Yes, there’s a cron job. I’ve disabled it as of today. Pretty sure that I didn’t create the job, but I honestly can’t remember. Maybe I did. Anyway, I have 4 other certs that are renewing properly. Just this one that seems to be stuck in a renewal loop (gets the cert, fails to apply it to live, repeat ad infinitum)
So at this point, I’ve disabled the cron job and deleted the cert from the /etc/letsencrypt dirs (live, archive, keys, etc). Getting a too many issued certs failure when I try to get a new cert for the URI.
Question is: how long do I have to wait before I can get a new cert?
If you’re using Certbot and you renamed some things within /etc/letsencrypt, it could have gotten into an inconsistent state in which it was unable to notice updates. This is particularly common if you try to change the name of a directory in /etc/letsencrypt/live; in that case, every time you run certbot renew, a renewal will be attempted but not be recognized by future Certbot runs as having been successful (because the renewed certificate is saved into an unexpected place). This is a reason that one certificate might behave differently from another certificate for this purpose.
We do recommend running certbot renew at least once per day—but not changing the names or structure of items within /etc/letsencrypt! There are README files there to attempt to warn against this; maybe we need to make more of them.
Thanks for the RCA! I vaguely remember changing a directory name in the live subdir at some point in the past, in an effort to harmonize with the others. I thought that I had changed all of the file references in the renewal config to match, but likely I missed something somewhere. In any case, the daily renewal check cron job was the upstream culprit, so when I disabled that, I was able to manually run certbot certonly w/o issues. License acquired & applied.
Sure thing! We would still recommend having a daily cron job, if possible. It doesn’t renew certificates unless they’re less than 30 days from expiry, although if the structure of /etc/letsencrypt/live is altered, it might not notice that previous renewals already succeeded.