Create EC and RSA certificate


#1

I’m using acme4j to create two certificate (EC+RSA) for the same site (*.now4real.com).

I red this post (Effect on rate limits when obtaining dual RSA and ECC certificates), my current code is something like

  1. Create a new order for *.now4real.com and validate it
  2. Validate a new EC certificate
  3. Create a new order for *.now4real.com and validate it
  4. Validate a new RSA certificate

Unfortunately for the RSA certificate (step 4) I get the error:

2018-10-29T08:41:13.551491Z generateECKeyPair now4real.com
2018-10-29T08:41:14.554466Z generateRSAKeyPair now4real.com
Exception in thread "main" org.shredzone.acme4j.exception.AcmeRateLimitedException: Error finalizing order :: too many certificates already issued for exact set of domains: *.now4real.com: see https://letsencrypt.org/docs/rate-limits/
	at org.shredzone.acme4j.connector.DefaultConnection.throwAcmeException(DefaultConnection.java:447)
	at org.shredzone.acme4j.connector.DefaultConnection.performRequest(DefaultConnection.java:375)
	at org.shredzone.acme4j.connector.DefaultConnection.sendSignedRequest(DefaultConnection.java:183)
	at org.shredzone.acme4j.connector.DefaultConnection.sendSignedRequest(DefaultConnection.java:162)
	at org.shredzone.acme4j.Order.execute(Order.java:152)

Today is monday, so I should generate up to 5 certificate for the same hostname, but I get only the first certificate.

How I can fix this issue?

Thank you.

My domain is: now4real.com

I ran this command: see last line of the above log

It produced this output: see above log

My web server is (include version): Lightstreamer 7.0.2

The operating system my web server runs on is (include version): openjdk 8 in docker

My hosting provider, if applicable, is: not applicable

I can login to a root shell on my machine (yes or no, or I don’t know): yes, I can log into the docker

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no


#2

Hi @vasco-lightstreamer

you have 54 active certificates:

https://transparencyreport.google.com/https/certificates?cert_search_auth=&cert_search_cert=p:bm93NHJlYWwuY29tOmZhbHNlOnRydWU6OkVBRT0&cert_search=include_expired:false;include_subdomains:true;domain:now4real.com&lu=cert_search_cert

min. 10 created last week and today. Why do you create weekly new certificates?

Create two certificates, one EC, one RSA, then use it 60 - 85 days, then create the next two certificates.

But not weekly 5.


#3

Of those 54 active certificates:

6 of those are created on 10/22, 1 is created today.

Let’s Encrypt Rate limits is not based on week, but a 7 day shifting window, which means you could create another 4 certificates on the 8th day after 10/22 (which is 10/30)

Thank you


#4

Google doesn’t show the difference between a “pre certificate” and a “leaf certificate”. I run dual certificates ECC+RSA in apache which will show up as 4 certificates in the transparency logs. LE will submit the same certificate to the logs twice, the other one is signed. So his actual count is less, but still over the limit.


#5

Oh, this is new.

One own certificate:

2018-08… Google shows one entry.
2018-10… new - Google shows two entries.


#6

Thanks all for your answers.

Currently nor Lightstreamer server supports hot certificate replace, nor acme4j supports the certificate renewal.
Our server are actively started (and stopped) on elastic cloud stack, a server fetches the certificates at boot, but a server can operate well until certificate expiration due the server/acme4j limitations. Seeing as how our server manages thousand of websocket active connections, we have to provide a fresh certificate to it (to avoid massive reconnections, TLS handshake, session recovery).

Real interesting, I missed it in the official documentation, I update my scheduling according to this news.