Create EC and RSA certificate

vasco-lightstreamer · October 29, 2018, 1:57pm

I’m using acme4j to create two certificate (EC+RSA) for the same site (*.now4real.com).

I red this post (Effect on rate limits when obtaining dual RSA and ECC certificates), my current code is something like

Create a new order for *.now4real.com and validate it
Validate a new EC certificate
Create a new order for *.now4real.com and validate it
Validate a new RSA certificate

Unfortunately for the RSA certificate (step 4) I get the error:

2018-10-29T08:41:13.551491Z generateECKeyPair now4real.com
2018-10-29T08:41:14.554466Z generateRSAKeyPair now4real.com
Exception in thread "main" org.shredzone.acme4j.exception.AcmeRateLimitedException: Error finalizing order :: too many certificates already issued for exact set of domains: *.now4real.com: see https://letsencrypt.org/docs/rate-limits/
	at org.shredzone.acme4j.connector.DefaultConnection.throwAcmeException(DefaultConnection.java:447)
	at org.shredzone.acme4j.connector.DefaultConnection.performRequest(DefaultConnection.java:375)
	at org.shredzone.acme4j.connector.DefaultConnection.sendSignedRequest(DefaultConnection.java:183)
	at org.shredzone.acme4j.connector.DefaultConnection.sendSignedRequest(DefaultConnection.java:162)
	at org.shredzone.acme4j.Order.execute(Order.java:152)

Today is monday, so I should generate up to 5 certificate for the same hostname, but I get only the first certificate.

How I can fix this issue?

Thank you.

My domain is: now4real.com

I ran this command: see last line of the above log

It produced this output: see above log

My web server is (include version): Lightstreamer 7.0.2

The operating system my web server runs on is (include version): openjdk 8 in docker

My hosting provider, if applicable, is: not applicable

I can login to a root shell on my machine (yes or no, or I don’t know): yes, I can log into the docker

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

JuergenAuer · October 29, 2018, 2:50pm

Hi @vasco-lightstreamer

you have 54 active certificates:

https://transparencyreport.google.com/https/certificates?cert_search_auth=&cert_search_cert=p:bm93NHJlYWwuY29tOmZhbHNlOnRydWU6OkVBRT0&cert_search=include_expired:false;include_subdomains:true;domain:now4real.com&lu=cert_search_cert

min. 10 created last week and today. Why do you create weekly new certificates?

Create two certificates, one EC, one RSA, then use it 60 - 85 days, then create the next two certificates.

But not weekly 5.

stevenzhu · October 29, 2018, 2:57pm

Of those 54 active certificates:

6 of those are created on 10/22, 1 is created today.

Let’s Encrypt Rate limits is not based on week, but a 7 day shifting window, which means you could create another 4 certificates on the 8th day after 10/22 (which is 10/30)

Thank you

JuergenAuer · October 29, 2018, 8:56pm

Oh, this is new.

One own certificate:

2018-08... Google shows one entry.
2018-10... new - Google shows two entries.

vasco-lightstreamer · October 30, 2018, 7:46am

Thanks all for your answers.

Currently nor Lightstreamer server supports hot certificate replace, nor acme4j supports the certificate renewal.
Our server are actively started (and stopped) on elastic cloud stack, a server fetches the certificates at boot, but a server can operate well until certificate expiration due the server/acme4j limitations. Seeing as how our server manages thousand of websocket active connections, we have to provide a fresh certificate to it (to avoid massive reconnections, TLS handshake, session recovery).

Real interesting, I missed it in the official documentation, I update my scheduling according to this news.

system · November 29, 2018, 7:46am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.