Error creating new cert :: too many certificates already issued for exact set of domains

I want to create my certificate ssl again, because I had created this certificate without any problems in other server but I had to change servers, so I had to create the certificate again and to pint another ip address public , but when I run:
$ sudo ./letsencrypt-auto certonly --standalone -d
It produced this output:

ubuntu@ip-172-30-0-147:/opt/letsencrypt$ sudo ./letsencrypt-auto certonly --standalone
sudo: unable to resolve host ip-172-30-0-147
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Please enter in your domain name(s) (comma and/or space separated) (Enter 'c’
to cancel):
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for
Waiting for verification…
Cleaning up challenges
An unexpected error occurred:
There were too many requests of a given type :: Error creating new cert :: too many certificates already issued for exact set of domains:
Please see the logfiles in /var/log/letsencrypt for more details.

(this log is in: )

I also run
$ sudo ./letsencrypt-auto certonly --server --standalone
but this created other files that are also not valid

Finally I drop all certs , and In my old server I run
sudo ./letsencrypt-auto revoke -d --cert-path /etc/letsencrypt/live/
and drop all files in /etc/letsencrypt/live, /etc/letsencrypt/renewal, /etc/letsencrypt/archive
but continues without creating a valid certificate
My domain is:
The operating system my web server runs on is (include version): ubuntu 14.04
My hosting provider, if applicable, is: aws

There is limit of 5 duplicate certificates per week (where “week” is a sliding window of 7 days; limit doesn’t get reset on specific day of week). Regarding revocation, here’s relevant part of rate limits description:

Revoking certificates does not reset rate limits, because the resources involved in issuing the certificates have already been used.

You could simply copy all Let’s Encrypt files from the old server and they would work - but as you’ve already revoked your certificate (I would recommend revoking certificates only if private key gets compromised), now you have to wait…

… or you have to use “loophole” in rate limits. Certificate is counted as a duplicate, if it has exact same set of hostnames. Hence, if you request a new certificate for and (for example), it won’t be treated as duplicate one.

Please note that there is also a weekly limit of 20 certificates per domain.

Staging server is used only for testing purposes; certificates it issues are not publicly trusted (“not valid”, as you said).


THanks for answering.
I had created this certificate about 2 months ago, this last monday in tomorrow I had revoke and created certificate and I got this same errror
Before I remember that I had created certificate in my new server and I saw this error, then I revoke cert, and then drop files

Hi @yavinenana,

1st September you issued 6 certificates for so you reached the limit.

CRT ID     DOMAIN (CN)                VALID FROM              VALID TO               EXPIRES IN  SANs
202455387  2017-Sep-01 06:05 CEST  2017-Nov-30 05:05 CET  85 days
202455042  2017-Sep-01 06:04 CEST  2017-Nov-30 05:04 CET  85 days
202454631  2017-Sep-01 06:03 CEST  2017-Nov-30 05:03 CET  85 days
202454289  2017-Sep-01 06:02 CEST  2017-Nov-30 05:02 CET  85 days
202453755  2017-Sep-01 06:01 CEST  2017-Nov-30 05:01 CET  85 days
202453066  2017-Sep-01 06:00 CEST  2017-Nov-30 05:00 CET  85 days
182058317  2017-Aug-01 06:38 CEST  2017-Oct-30 05:38 CET  54 days

You have 2 options:

1.- Wait till 8th September to try to renew your cert.
2.- Add one more subdomain/domain to the certificate so you are not reaching the 5 certs limit per same subset of domains per 7 days.

Note: Revoking a certificate has no effects on rate limits and if your private key has not been compromised there is no need to revoke a certificate.


thank you, very match for answering mr sahsanu
but , I haven’t create any certificate again or renew this date
I remeber that I had created or try renew on sunday , I’m sorry but i don’t remember i’m confused . where can I see this log or information , like that table pls , because in my logs’ ? I dont see pls .
thanks again

This table is the output from @sahsanu’s program lectl

The underlying data source is Comodo’s, which is an interface to the Certificate Transparency database.

1 Like

hi I created my certificate yesterday but

since install letsencrypt from
I have this error each 30 second sometimes but when i created my cert for domain ,
this cert was created with this name : . I don’t think the problem is my configuration because I change my configuration to the previous configuration and now I have the same problem.
In my log nginx I dont see nothing.
and when I check in this page
I see that my certificate not exists , but I used this morning , with errors but I used .

It’s sometimes a bad sign when you have this. It means you have two separate overlapping certificates managed by Certbot, which are stored in different places. It would be a result of having use --duplicate or answering “Duplicate” to the question about whether you wanted to make a new certificate that already covered some of the names in an existing certificate.

You can find out about the locations where your certificates are stored, and what they cover, by running sudo ./letsencrypt-auto certificates. (We no longer refer to the software as letsencrypt-auto; its name was changed to Certbot more than a year ago.)

I remember when I try created my certificate again and I revoke my certificate with
sudo ./letsencrypt-auto revoke -d --cert-path /etc/letsencrypt/live/
also I used
sudo ./letsencrypt-auto certonly --server
and then create cert I suposse like this create , beacause I couldn’t before.

ubuntu@ip-172-30-0-147:/opt/letsencrypt$ sudo ./letsencrypt-auto certificates
sudo: unable to resolve host ip-172-30-0-147
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewal configuration file /etc/letsencrypt/renewal/ produced an unexpected error: renewal config file {} is missing a required file reference. Skipping.

Found the following certs:
Certificate Name:
Expiry Date: 2017-12-16 16:59:00+00:00 (VALID: 88 days)
Certificate Path: /etc/letsencrypt/live/
Private Key Path: /etc/letsencrypt/live/

The following renewal configuration files were invalid:


before yesterday I delete all log of certbot I do not know what else I can do please, thank you very much for your comments

It sounds like you edited /etc/letsencrypt/renewal/ in a way that made it invalid. Could you post the contents of that file?

sure I have to files :

… in the first i have ( :
renew_before_expiry = 30 days
version = 0.18.1
archive_dir = /etc/letsencrypt/archive/
cert = /etc/letsencrypt/live/
privkey = /etc/letsencrypt/live/
chain = /etc/letsencrypt/live/
fullchain = /etc/letsencrypt/live/

Options used in the renewal process
authenticator = standalone
installer = None
account = c43685e05d5de5131e8516918de4417d
and the second ( a I hava nothing

Thanks! Did you edit either of these files yourself?

Can you also show us the output of this command?

ls -l /etc/letsencrypt/live/heidelberg*/

We’re wondering about the reason for the empty renewal configuration file. If you don’t know why it was empty, would you be willing to share your logs from /var/log/letsencrypt in case they might reveal the reason?

sure i Have ONLY this folder with :

root@ip-172-30-0-147:/home/ubuntu# ls -l /etc/letsencrypt/live/
total 4
lrwxrwxrwx 1 root root 54 sep 17 12:59 cert.pem -> …/…/archive/
lrwxrwxrwx 1 root root 55 sep 17 12:59 chain.pem -> …/…/archive/
lrwxrwxrwx 1 root root 59 sep 17 12:59 fullchain.pem -> …/…/archive/
lrwxrwxrwx 1 root root 57 sep 17 12:59 privkey.pem -> …/…/archive/
-rw-r–r-- 1 root root 543 sep 17 12:44 README

thats rigth I don’t know why I have this files in my renewal :
root@ip-172-30-0-147:/etc/letsencrypt/renewal# ls -la
total 12
drwxr-xr-x 2 root root 4096 sep 18 17:04 .
drwxr-xr-x 8 root root 4096 sep 19 17:01 …
-rw-r–r-- 1 root root 555 sep 17 12:59
-rw-r–r-- 1 root root 0 sep 17 12:26

but in the renewal file I have this


again , thank you very much for your help.

It’s pretty strange! Could you share your log files from /var/log/letsencrypt? (Maybe uploading them somewhere other than the forum because they’ll be pretty large.)

sorry if are very much files , but the last is letsecnypt.log
all logs stay in here

Thanks! Sadly, all of these files are too recent to show the underlying reason why your other renewal configuration file was empty.

They do show why you encountered the “too many certificates already issued” error. You are using --renew-by-default in an automated renewal process. The --renew-by-default option has been renamed to --force-renewal and should normally never be used in an automated task. It means “renew this now, even if a recently renewal certificate already exists”, which is likely to run into rate limits.

What we suggest running automatically instead is certbot renew, which checks to see whether each certificate is less than 30 days away from expiry before attempting to renew it.

It looks like you might have a cron job running once per minute that tries to do the --force-renewal (e.g. with * * * * * as the time specification). We think twice per day is often enough, but in any case if you switch to certbot renew instead of --force-renewal, it should stop trying to renew so frequently.

hi mr schoen
i saw that my cron was * * * /2 * /home/ubuntu/ i thank that this run each 2 months , know I drop this cron and scrpit I was wrong, know I deleted cron and script.
but when I created my cert, this create in What can i do? I only need cert to , maybe I should revoke certificates with
sudo ./letsencrypt-auto revoke --cert-path /etc/letsencrypt/live/ -d
and wait another week more, and recreate certificate but I have scary that they’re wrong again.

I used to:
sudo git clone (in opt)
sudo ./letsencrypt-auto certonly --standalone
sudo ./letsencrypt-auto --renew-by-default certonly --standalone --email -d (you said that use this is wrong and I will never use it again :frowning: )
so I should use
sudo ./lesencrypt-auto -d --standalone --email -d

again thnk you mr

Hi @yavinenana,

It’s not necessary to revoke certificates in this case, and it doesn’t affect the rate limit.

It could be OK that your certificate is stored in and your certificate might be fine now. I know I said that I was concerned about the fact that you had both and, but apparently only the first of these is working and there is not necessarily anything wrong with the certificate. Did you try configuring that certificate to be used in some application?

1 Like