Duplicate Certificate limit of 5 certificates per week

#1

Hello my friends!

I am working on Digital Ocean. I’m using NGINX Ubuntu 18.04.10

My domain is www.ifitfitsonline.com

Well, i checked my domain on Let’s Debug Let’s Encrypt and i got this:

ifitfitsonline.com is currently affected by Let’s Encrypt-based rate limits (https://letsencrypt.org/docs/rate-limits/). You may review certificates that have already been issued by visiting https://crt.sh/?q=%ifitfitsonline.com . Please note that it is not possible to ask for a rate limit to be manually cleared.

The Duplicate Certificate limit (5 certificates with the exact same set of domains per week) has been exceeded and is affecting the domain “ifitfitsonline.com”. The exact set of domains affected is: “ifitfitsonline.com,www.ifitfitsonline.com”. It may be possible to avoid this rate limit by issuing a certificate with an additional or different domain name.

What should I do? I need to wait some time? Can I revoke a certificate?

Is there any easier thing I should do?

Thanks,
Mat

#2

Do you need to issue more certificates? Why can’t you use the ones that already exist?

Revocation doesn’t affect the rate limits.

1 Like
#3

Oh yeah. Of course I can use one of them… they all use the same domain… how can i do this??

About generating a new certificate, how does it work? i need to wait 1 week?

#4

I don’t understand. What are you working to achieve right now?

Did you create five certificates, delete them, and now you want to create a sixth?

Are you installing a cluster of six servers with different certificates?

To use a certificate, you need its private key. Do you have them?

#5

Well, all my certificates are there. I created all the certificates and i didnt delete them. I was just making some kind of tests. Where can i check the private keys? I didnt save it…

#6

What are you trying to do?

Where?


Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

I ran this command:

It produced this output:

My web server is (include version):

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

#7

Ok:

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=www.ifitfitsonline.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

I ran this command:

sudo certbot --nginx -d ifitfitsonline.com -d www.ifitfitsonline.com

It produced this output:

An unexpected error occurred:
There were too many requests of a given type :: Error creating new order :: too many certificates already issued for exact set of domains: ifitfitsonline.com,www.ifitfitsonline.com: see https://letsencrypt.org/docs/rate-limits/

My web server is (include version):

nginx/1.15.5

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

As I reported, I ran Let’s Debug Let’s Encrypt:

The Duplicate Certificate limit (5 certificates with the exact same set of domains per week) has been exceeded and is affecting the domain “ifitfitsonline.com”. The exact set of domains affected is: “ifitfitsonline.com,www.ifitfitsonline.com”. It may be possible to avoid this rate limit by issuing a certificate with an additional or different domain name.

Where can i find the certificates I generated?

Ps: If I don’t have access to my generated keys, what should I do? I have to wait for a week? What should I do?

Thanks

#8

Hi @mpgmateus

check

certbot certificates

And check

If you want to test something: Use --test-cert to use the test system. There are own limits.

#9

Thanks for the contact @JuergenAuer

I got this ouput using certbot certificates:

No certs found.

What about now?

#10

Where did they go?

Did you delete /etc/letsencrypt/?

Did you create them on a different computer, or with a different ACME client?

#11

@mnordhoff Well, each certificate was generated from a different droplet. All these servers dont exist more. So they are on “space”… what should we do? thankss

#12

@JuergenAuer How does Lets Encrypt count? Each monday the limit rate restarts?

#13

No, 7 days after the first.

Output of https://check-your-website.server-daten.de/?q=ifitfitsonline.com

CRT-Id Issuer not before not after Domain names LE-Duplicate next LE
1382902718 CN=Let’s Encrypt Authority X3, O=Let’s Encrypt, C=US 2019-04-13 18:37:58 2019-07-12 18:37:58 ifitfitsonline.com, www.ifitfitsonline.com duplicate nr. 5 next Letsencrypt certificate: 2019-04-15 21:41:51
1382561623 CN=Let’s Encrypt Authority X3, O=Let’s Encrypt, C=US 2019-04-13 14:54:11 2019-07-12 14:54:11 ifitfitsonline.com, www.ifitfitsonline.com duplicate nr. 4
1373879100 CN=Let’s Encrypt Authority X3, O=Let’s Encrypt, C=US 2019-04-09 11:34:19 2019-07-08 11:34:19 ifitfitsonline.com, www.ifitfitsonline.com duplicate nr. 3
1372231196 CN=Let’s Encrypt Authority X3, O=Let’s Encrypt, C=US 2019-04-08 23:04:37 2019-07-07 23:04:37 ifitfitsonline.com, www.ifitfitsonline.com duplicate nr. 2
1372230972 CN=CloudFlare Inc ECC CA-2, O=“CloudFlare, Inc.”, L=San Francisco, C=US, ST=CA 2019-04-08 22:00:00 2020-04-09 10:00:00 *.ifitfitsonline.com, CloudFlare, Inc., ifitfitsonline.com, sni.cloudflaressl.com
1372353905 CN=Let’s Encrypt Authority X3, O=Let’s Encrypt, C=US 2019-04-08 21:41:51 2019-07-07 21:41:51 ifitfitsonline.com, www.ifitfitsonline.com duplicate nr. 1

2019-04-15 you can create the next certificate.

#14

@JuergenAuer oh great. 7 days after the first generated… how can i see what was the first on crt.sh? what do i have to analyse?

we can see here: https://crt.sh/?q=www.ifitfitsonline.com

#15

crt.sh has two limits:

  • pre- and leaf certificates are listed - one certificate creates two entries, but sometimes leaf certificates are hours later visible
  • the list of domain names isn’t visible. You have to click every certificate to see the list of domain names.

These are reasons to create own tools, the source is crt.sh.

#16

well, nice.

Your conclusion is: 2019-04-15 you can create the next certificate.

Perfect! It really helped me. The question is… how did u get this information? What is the step to get on this?

Thanks again @JuergenAuer

#17

@JuergenAuer A better question that will solve my problem:

As you say: 7 days after the first.

https://crt.sh/?Identity=www.ifitfitsonline.com&exclude=expired (Only valid certificates we should look, right?)

So…on this list, what is the first certificate generated we have to view the date? 1365283345 or 1372353905 ?

thanks again :smiley:

#18

As written. One is a precertificate, the other is the leaf certificate.

But they have the same serial number.

That’s the reason I’ve added a query - https://check-your-website.server-daten.de/?q=ifitfitsonline.com#ct-logs

So I don’t need to check that manual.

#19

@JuergenAuer oooh now I got. u generated a ct-log in that website… just to check with you if im correct: the first certificate is the 1372353905 from april 8th? hope to hear from you tks

#20

@JuergenAuer OH, bro! I checked now and there is a box saying Next LE! Sorry, I didnt see it for the first time hehe… It says exactly the time I can generate a new one! Thanks, everything is right now!! (:: have a great weekend (:smile: