Does each hostname of certificate only can be issued once for life?

I previously successfully added a DDNS on xxx.synology.me, in the meanwhile I got the certificate from Let's Encrypt while added the hostname. Then for some reason, I want to reset the system, so I deleted the DDNS and the Certificate. When I have tried to re-add the DDNS using the same hostname xxx.synology.me I also checked the box for generating a certificate from LetsEncrypt, this time, there's an error says "unable to create certificate please create certificate manually in control panel..."

I'm wondering, does one same hostname only can be issued once in lifetime? Since I generated the certificate already, even I deleted it from the NAS, I won't be able to get the new certificate, or there's a waiting period that should I wait for a certain time then try again?

I checked on crt.sh, how strange, there's 10 record of xxx.synology.me that I added from my NAS. Not sure if this triggers some limits?

[For test, I changed a host name to aaa.synology.me, this could allow me to get a new certificate]

You can get another certificate for the exact same hostname several times, up to 5 times in one week: Rate Limits - Let's Encrypt - it's seems more like your certificate is renewing ok but it's failing to apply due to some bug in the synology software?

Another important thing is that by default only 50 certificates from .synology.me would be allowed in one week, but I'm guessing they have a higher rate limit set already.

3 Likes

thank you, but why when i check from crt.sh, I found 10 records rather than 5. it's not renewing, i purchased new synology NAS, trying to set up DDNS, and added-deleted many times without knowing there could be issues...

1 Like

Because you see the "Pre Cert" and the final "Leaf" for each one. Use the Advanced Features and select DeDuplicate so you only see one of them (easier to see history).

2 Likes

You'd have to share your domain name, as requested on the form, to get an answer.

A likely answer is that All Certificates Authorities now generate pre-certificates and publish them to certificate transparency logs as a requirement for generating a Certificate, so there are always two entries in crt.sh for every certificate.

1 Like

I c!!! Yes, now I c I have 5 records in a day (yesterday). Referring to the answer that @webprofusion provided, I have to wait for a week, right?

It is a rolling 7-day limit (actually, 168 hours). So it depends on when you exactly issued them. The Rate Limit link in his post has more details.

3 Likes

@ericc, if you are still testing, please use the staging environment [not production].

2 Likes