Hello my friends!
I am working on Digital Ocean. I’m using NGINX Ubuntu 18.04.10
My domain is www.ifitfitsonline.com
Well, i checked my domain on Let’s Debug Let’s Encrypt and i got this:
ifitfitsonline.com is currently affected by Let’s Encrypt-based rate limits (https://letsencrypt.org/docs/rate-limits/). You may review certificates that have already been issued by visiting https://crt.sh/?q=%ifitfitsonline.com . Please note that it is not possible to ask for a rate limit to be manually cleared.
The Duplicate Certificate limit (5 certificates with the exact same set of domains per week) has been exceeded and is affecting the domain “ifitfitsonline.com”. The exact set of domains affected is: “ifitfitsonline.com,www.ifitfitsonline.com”. It may be possible to avoid this rate limit by issuing a certificate with an additional or different domain name.
What should I do? I need to wait some time? Can I revoke a certificate?
Is there any easier thing I should do?
Thanks,
Mat
Do you need to issue more certificates? Why can't you use the ones that already exist?
Revocation doesn't affect the rate limits.
1 Like
Oh yeah. Of course I can use one of them… they all use the same domain… how can i do this??
About generating a new certificate, how does it work? i need to wait 1 week?
I don't understand. What are you working to achieve right now?
Did you create five certificates, delete them, and now you want to create a sixth?
Are you installing a cluster of six servers with different certificates?
To use a certificate, you need its private key. Do you have them?
Well, all my certificates are there. I created all the certificates and i didnt delete them. I was just making some kind of tests. Where can i check the private keys? I didnt save it…
What are you trying to do?
Where?
Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
I ran this command:
It produced this output:
My web server is (include version):
I can login to a root shell on my machine (yes or no, or I don't know):
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
Ok:
Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=www.ifitfitsonline.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
I ran this command:
sudo certbot --nginx -d ifitfitsonline.com -d www.ifitfitsonline.com
It produced this output:
An unexpected error occurred:
There were too many requests of a given type :: Error creating new order :: too many certificates already issued for exact set of domains: ifitfitsonline.com,www.ifitfitsonline.com: see https://letsencrypt.org/docs/rate-limits/
My web server is (include version):
nginx/1.15.5
I can login to a root shell on my machine (yes or no, or I don’t know): Yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No
As I reported, I ran Let’s Debug Let’s Encrypt:
The Duplicate Certificate limit (5 certificates with the exact same set of domains per week) has been exceeded and is affecting the domain “ifitfitsonline.com”. The exact set of domains affected is: “ifitfitsonline.com,www.ifitfitsonline.com”. It may be possible to avoid this rate limit by issuing a certificate with an additional or different domain name.
Where can i find the certificates I generated?
Ps: If I don’t have access to my generated keys, what should I do? I have to wait for a week? What should I do?
Thanks
Hi @mpgmateus
check
certbot certificates
And check
https://certbot.eff.org/docs/using.html
If you want to test something: Use --test-cert to use the test system. There are own limits.
Thanks for the contact @JuergenAuer
I got this ouput using certbot certificates:
No certs found.
What about now?
Where did they go?
Did you delete /etc/letsencrypt/?
Did you create them on a different computer, or with a different ACME client?
@mnordhoff Well, each certificate was generated from a different droplet. All these servers dont exist more. So they are on “space”… what should we do? thankss
@JuergenAuer How does Lets Encrypt count? Each monday the limit rate restarts?
No, 7 days after the first.
Output of https://check-your-website.server-daten.de/?q=ifitfitsonline.com
| CRT-Id |
Issuer |
not before |
not after |
Domain names |
LE-Duplicate |
next LE |
| 1382902718 |
CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US |
2019-04-13 18:37:58 |
2019-07-12 18:37:58 |
ifitfitsonline.com, www.ifitfitsonline.com |
duplicate nr. 5 |
next Letsencrypt certificate: 2019-04-15 21:41:51 |
| 1382561623 |
CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US |
2019-04-13 14:54:11 |
2019-07-12 14:54:11 |
ifitfitsonline.com, www.ifitfitsonline.com |
duplicate nr. 4 |
|
| 1373879100 |
CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US |
2019-04-09 11:34:19 |
2019-07-08 11:34:19 |
ifitfitsonline.com, www.ifitfitsonline.com |
duplicate nr. 3 |
|
| 1372231196 |
CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US |
2019-04-08 23:04:37 |
2019-07-07 23:04:37 |
ifitfitsonline.com, www.ifitfitsonline.com |
duplicate nr. 2 |
|
| 1372230972 |
CN=CloudFlare Inc ECC CA-2, O="CloudFlare, Inc.", L=San Francisco, C=US, ST=CA |
2019-04-08 22:00:00 |
2020-04-09 10:00:00 |
*.ifitfitsonline.com, CloudFlare, Inc., ifitfitsonline.com, sni.cloudflaressl.com |
|
|
| 1372353905 |
CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US |
2019-04-08 21:41:51 |
2019-07-07 21:41:51 |
ifitfitsonline.com, www.ifitfitsonline.com |
duplicate nr. 1 |
|
2019-04-15 you can create the next certificate.
@JuergenAuer oh great. 7 days after the first generated… how can i see what was the first on crt.sh? what do i have to analyse?
we can see here: https://crt.sh/?q=www.ifitfitsonline.com
crt.sh has two limits:
- pre- and leaf certificates are listed - one certificate creates two entries, but sometimes leaf certificates are hours later visible
- the list of domain names isn't visible. You have to click every certificate to see the list of domain names.
These are reasons to create own tools, the source is crt.sh.
well, nice.
Your conclusion is: 2019-04-15 you can create the next certificate.
Perfect! It really helped me. The question is… how did u get this information? What is the step to get on this?
Thanks again @JuergenAuer
@JuergenAuer A better question that will solve my problem:
As you say: 7 days after the first.
https://crt.sh/?Identity=www.ifitfitsonline.com&exclude=expired (Only valid certificates we should look, right?)
So…on this list, what is the first certificate generated we have to view the date? 1365283345 or 1372353905 ?
thanks again 
As written. One is a precertificate, the other is the leaf certificate.
But they have the same serial number.
That’s the reason I’ve added a query - https://check-your-website.server-daten.de/?q=ifitfitsonline.com#ct-logs
So I don’t need to check that manual.
@JuergenAuer oooh now I got. u generated a ct-log in that website… just to check with you if im correct: the first certificate is the 1372353905 from april 8th? hope to hear from you tks
@JuergenAuer OH, bro! I checked now and there is a box saying Next LE! Sorry, I didnt see it for the first time hehe… It says exactly the time I can generate a new one! Thanks, everything is right now!! (:: have a great weekend (