Error creating live certificate for subdomain of linkpc.net


#1

The domain I’m trying to issue certificate for is a subdomain for public DNS service linkpc.net, specifically lonchik.linkpc.net. I’m using Crypt-LE tool (https://github.com/do-know/Crypt-LE/releases) to perform the task. Running without --live option (i.e. running against test server) produced success (see below). However, when I added --live option to generate a real certificate, it rejected saying too many certificates issued to linkpc.net (again, see output below). It makes sense that linkpc.net SLD will appear a lot because it uses 3rd domain levels for its users as its service, i.e. mine being lonchik.linkpc.net.

Can LE’s limit be raised for linkpc.net to allow each subdomain to be counted as a separate, individual, unrelated to another *.linkpc.net subdomain for certificate count limit? If not, is there some other work around?

My domain is: lonchik.linkpc.net

I ran this command: le64 --key account.key --email “####@####” --csr domain.csr --csr-key domain.key --crt domain.crt --generate-missing --domains “lonchik.linkpc.net” --unlink --path C:/inetpub/wwwroot/.well-known/acme-challenge -export-pfx #### --live

It produced this output (NOTE: two outputs, first is a test run showing success, second is same thing with --live option as shown above. valid email and pfx password supplied and X’ed out for posting purposes):

C:\Utils\LetsEncrypt>le64 --key account.key --email “XXXX@XXXX”
–csr domain.csr --csr-key domain.key --crt domain.crt --generate-missing --dom
ains “lonchik.linkpc.net” --unlink --path C:/inetpub/wwwroot/.well-known/acme-ch
allenge -export-pfx ####
2017/12/29 16:13:44 [ ZeroSSL Crypt::LE client v0.29 started. ]
2017/12/29 16:13:44 Loading an account key from account.key
2017/12/29 16:13:44 Loading a CSR from domain.csr
2017/12/29 16:13:46 Registering the account key
2017/12/29 16:13:46 The key is already registered. ID: 5306343
2017/12/29 16:13:46 Current contact details: XXXX@XXXXX
2017/12/29 16:13:46 Successfully saved a challenge file ‘C:/inetpub/wwwroot/.well-known/acme-challenge/dmzbaQ3EZzGGxlmppDTFwteGRjP1XyZpm_zz26J0pQc’ for domain 'lonchik.linkpc.net
2017/12/29 16:13:51 Domain verification results for ‘lonchik.linkpc.net’: succes
s.
2017/12/29 16:13:51 Challenge file ‘C:/inetpub/wwwroot/.well-known/acme-challenge/dmzbaQ3EZzGGxlmppDTFwteGRjP1XyZpm_zz26J0pQc’ has been deleted.
2017/12/29 16:13:51 Requesting domain certificate.
2017/12/29 16:13:51 Requesting issuer’s certificate.
2017/12/29 16:13:51 Saving the full certificate chain to domain.crt.
2017/12/29 16:13:51 Exporting certificate to domain.pfx.
2017/12/29 16:13:51 ===> NOTE: You have been using the test server for this certificate. To issue a valid trusted certificate add --live option.
2017/12/29 16:13:51 The job is done, enjoy your certificate! For feedback and bug reports contact us at [ https://ZeroSSL.com | https://Do-Know.com ]

C:\Utils\LetsEncrypt>le64 --key account.key --email “XXXX@XXXX”
–csr domain.csr --csr-key domain.key --crt domain.crt --generate-missing --dom
ains “lonchik.linkpc.net” --unlink --path C:/inetpub/wwwroot/.well-known/acme-ch
allenge -export-pfx #### --live
2017/12/29 16:16:00 [ ZeroSSL Crypt::LE client v0.29 started. ]
2017/12/29 16:16:00 Loading an account key from account.key
2017/12/29 16:16:00 Loading a CSR from domain.csr
2017/12/29 16:16:02 Registering the account key
2017/12/29 16:16:03 The key has been successfully registered. ID: 26677225
2017/12/29 16:16:03 Make sure to check TOS at https://letsencrypt.org/documents/
LE-SA-v1.2-November-15-2017.pdf
2017/12/29 16:16:03 Current contact details: ####@####
2017/12/29 16:16:03 Error requesting certificate: Error creating new cert :: too
many certificates already issued for: linkpc.net

My web server is (include version): IIS on Windows 8

The operating system my web server runs on is (include version): Windows 8

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no


#2

Look at how many certificates have been issued recently for linkpc.net. This is certainly in excess of the prescribed Let’s Encrypt rate limits.

The operator/owner of linkpc.net should either apply for higher rate limits or apply to the Public Suffix List to avoid this issue.

Unless you are that person, I don’t think there’s anything you can do about this problem other than try wait out the rate limit (which may not be reliable/posible).


#3

_az, thanks for clarification. I somehow interpreted the error message as reaching some absolute total number of certificates per domain (i.e. linkpc.net including all subdomains).

I’ll see if I can contact linkpc.net to see if they’d be interested to engage, but for now, I can just keep checking that link and try to “slide in” as rolling window rolls off recent entries.

Thanks again for clarification.


#4

There is also a command-line computer program to help give you this information:


#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.