Continuous Renewal


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: www.avianrefuge.org

I ran this command: certbot renew

It produced this output: too many certificates issued

My web server is (include version): Apache 2.4.29

The operating system my web server runs on is (include version): Ubuntu Server 18.04.1 LTS

My hosting provider, if applicable, is: n/a

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): Webmin and SSH. Mostly shell for configuration.


#2

You seem to be forcing a renewal everyday:
https://crt.sh/?q=www.avianrefuge.org

Please show how you scheduled the renewal of your certs?
cron job?


#3

Hi @Mouton

this

https://transparencyreport.google.com/https/certificates?cert_search_auth=&cert_search_cert=&cert_search=include_expired:false;include_subdomains:false;domain:www.avianrefuge.org&lu=cert_search

looks terrible.

One certificate is 90 days valide. So please create one certificate. Then use it 60 - 85 days.

Then create the next certificate.

But not every day a new certificate.


#4

And yet the cert in use expired a month ago:
Sun, 04 Nov 2018 12:41:15 UTC (expired 1 month and 12 days ago) EXPIRED

The webmin (or whoever/whatever updates the certs) is broken.
Stuck in loop:
begin loop:

  • Cert is old - get a new one. (+1 more cert)
  • Fail to update… :frowning:

loop (de loop)


#5

Yes, there’s a cron job. I’ve disabled it as of today. Pretty sure that I didn’t create the job, but I honestly can’t remember. Maybe I did. Anyway, I have 4 other certs that are renewing properly. Just this one that seems to be stuck in a renewal loop (gets the cert, fails to apply it to live, repeat ad infinitum)


#6

So at this point, I’ve disabled the cron job and deleted the cert from the /etc/letsencrypt dirs (live, archive, keys, etc). Getting a too many issued certs failure when I try to get a new cert for the URI.

Question is: how long do I have to wait before I can get a new cert?


#7

You can create 5 certificate with the same domain name set in 7 days.

This is a sliding window, the last certificates are created 2018-12-10 - 2018-12-13.

So you can start 2018-12-17.


#8

Thanks, Juergen.

Mit freundlichen Grüßen,
Brian


#9

If you’re using Certbot and you renamed some things within /etc/letsencrypt, it could have gotten into an inconsistent state in which it was unable to notice updates. This is particularly common if you try to change the name of a directory in /etc/letsencrypt/live; in that case, every time you run certbot renew, a renewal will be attempted but not be recognized by future Certbot runs as having been successful (because the renewed certificate is saved into an unexpected place). This is a reason that one certificate might behave differently from another certificate for this purpose.

We do recommend running certbot renew at least once per day—but not changing the names or structure of items within /etc/letsencrypt! There are README files there to attempt to warn against this; maybe we need to make more of them.


#10

Thanks for the RCA! I vaguely remember changing a directory name in the live subdir at some point in the past, in an effort to harmonize with the others. I thought that I had changed all of the file references in the renewal config to match, but likely I missed something somewhere. In any case, the daily renewal check cron job was the upstream culprit, so when I disabled that, I was able to manually run certbot certonly w/o issues. License acquired & applied.

Thanks again to all for your kind assistance!

–Brian


#11

Sure thing! We would still recommend having a daily cron job, if possible. It doesn’t renew certificates unless they’re less than 30 days from expiry, although if the structure of /etc/letsencrypt/live is altered, it might not notice that previous renewals already succeeded.