My domain is:
https://crt.sh/?q=martinarnold.co.uk
We've never had any issues applying Let's Encrypt before, however with this domain name it appears that a certificate is being requested twice a day? And so impossible for us to apply LE as it's constantly being rate limited - does anyone know why this might be? Currently hosting with Siteground Cloud, with SG Tools - they dont seem very helpful on the subject...
Hi @squire2k and welcome to the LE community forum 
My first guess is the use of --force-renewal within a renewal script.
A new certificate is only being requested once a day - but it is being requested (and usually issued) once a day.
In order to adhere to the "Certificate Transparency" requirements, every Certificate will first process a "pre-certificate" and submit that to the transparency logs; a reference to that will then be embedded in the certificate itself.
If you click on two results for your certificates on the same day, you'll see the earlier certificate is labeled as a "pre-certificate" and, moments later, the next certificate is labeled as a "certificate".
That being said, look to see if @rg305's guess appears in your renewal scripts, cron tabs, or job runners.
it's actually "leaf certificate"
Thanks for your help so far, really appreciate it. I have spoken to the current host and they have said that --force-renewal would only work if the certificate has already been issued.
Is there a possibility that these requests could be being made from the previous server that was hosting the site? Even if the domain name is no longer pointing there?
I take it you can’t get the IP address of the server that has made the request?
It would still work, but just not do anything special.
Absolutely possible, but it would require satisfying an HTTP-01 or DNS-01 challenge to have a certificate issued. Under those circumstances, the former is unlikely while the latter would require some type of credentials and process to create DNS TXT records from the old server. I suggest checking your certificate dates on the current server. If they are changing in step with those found on https://crt.sh/?q=martinarnold.co.uk, the old server isn't the culprit.
That would only be able to work if the previous host was issuing certs via DNS-01 challenge.
[HTTP-01 challenges would fail once the IP was changed]
Was that the case?
Thanks - and sorry for noob questions.
How would I be able to tell? I’ve done a TXT lookup on _acme-challenge.martinarnold.co.uk and can’t see any records in place.
I think maybe tomorrow I’ll see if I can escalate this with the current host (SiteGround) to see if they can do some more digging. I’ve SSH’d onto the server and certbot commands don’t even work, and can’t see any scheduled tasks running, so I’m guessing they handle things differently.
That could just be a sign that the TXT records are being added and removed properly.
They could be using some type of panel or other UI (or possibly just a different ACME client).
@squire2k Sorry if I am missing something but your current server is not sending a Lets Encrypt cert - it is one from Sectigo expiring in 390 days:
https://decoder.link/sslchecker/martinarnold.co.uk/443
I see your frequent Lets Encrypt history at crt.sh. Just noting you are not using them. If nothing else, this eliminates the speed at which you need to resolve this 
Yes that’s one I purchased just to get https onto the site when LetsEncrypt was failing… but I really want LE on there so I don’t have the faff and cost of renewing it every year.
I’ve just noticed that their name servers are with CloudFlare… I’m betting that something has been set up on there to renew it everyday via DNS challenge… (or the old server is using the cloudflare API to generate these requests)
Change the key/password.
[lock them out of Cloudflare]
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.