Error creating new cert :: too many certificates already issued for exact set of domains


#1

I want to create my certificate ssl again, because I had created this certificate without any problems in other server but I had to change servers, so I had to create the certificate again and to pint another ip address public , but when I run:
$ sudo ./letsencrypt-auto certonly --standalone -d heidelberg.yaroscloud.com
It produced this output:

ubuntu@ip-172-30-0-147:/opt/letsencrypt$ sudo ./letsencrypt-auto certonly --standalone
sudo: unable to resolve host ip-172-30-0-147
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Please enter in your domain name(s) (comma and/or space separated) (Enter 'c’
to cancel): heidelberg.yaroscloud.com
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for heidelberg.yaroscloud.com
Waiting for verification…
Cleaning up challenges
An unexpected error occurred:
There were too many requests of a given type :: Error creating new cert :: too many certificates already issued for exact set of domains: heidelberg.yaroscloud.com
Please see the logfiles in /var/log/letsencrypt for more details.

(this log is in: https://s3-us-west-1.amazonaws.com/backupsyaros/test/letsencrypt.log )

I also run
$ sudo ./letsencrypt-auto certonly --server https://acme-staging.api.letsencrypt.org/directory --standalone
but this created other files that are also not valid

Finally I drop all certs , and In my old server I run
sudo ./letsencrypt-auto revoke -d heidelberg.yaroscloud.com --cert-path /etc/letsencrypt/live/heidelberg.yaroscloud.com/cert.pem
and drop all files in /etc/letsencrypt/live, /etc/letsencrypt/renewal, /etc/letsencrypt/archive
but continues without creating a valid certificate
My domain is: heidelberg.yaroscloud.com
The operating system my web server runs on is (include version): ubuntu 14.04
My hosting provider, if applicable, is: aws


Renew my certified but it still expires on the same date
Renew my certified but it still expires on the same date
#2

There is limit of 5 duplicate certificates per week (where “week” is a sliding window of 7 days; limit doesn’t get reset on specific day of week). Regarding revocation, here’s relevant part of rate limits description:

Revoking certificates does not reset rate limits, because the resources involved in issuing the certificates have already been used.

You could simply copy all Let’s Encrypt files from the old server and they would work - but as you’ve already revoked your certificate (I would recommend revoking certificates only if private key gets compromised), now you have to wait…

… or you have to use “loophole” in rate limits. Certificate is counted as a duplicate, if it has exact same set of hostnames. Hence, if you request a new certificate for heidelberg.yaroscloud.com and (for example) www.heidelberg.yaroscloud.com, it won’t be treated as duplicate one.

Please note that there is also a weekly limit of 20 certificates per domain.

Staging server is used only for testing purposes; certificates it issues are not publicly trusted (“not valid”, as you said).


#3

THanks for answering.
I had created this certificate about 2 months ago, this last monday in tomorrow I had revoke and created certificate and I got this same errror
Before I remember that I had created certificate in my new server and I saw this error, then I revoke cert, and then drop files


#4

Hi @yavinenana,

1st September you issued 6 certificates for heidelberg.yaroscloud.com so you reached the limit.

CRT ID     DOMAIN (CN)                VALID FROM              VALID TO               EXPIRES IN  SANs
202455387  heidelberg.yaroscloud.com  2017-Sep-01 06:05 CEST  2017-Nov-30 05:05 CET  85 days     heidelberg.yaroscloud.com
202455042  heidelberg.yaroscloud.com  2017-Sep-01 06:04 CEST  2017-Nov-30 05:04 CET  85 days     heidelberg.yaroscloud.com
202454631  heidelberg.yaroscloud.com  2017-Sep-01 06:03 CEST  2017-Nov-30 05:03 CET  85 days     heidelberg.yaroscloud.com
202454289  heidelberg.yaroscloud.com  2017-Sep-01 06:02 CEST  2017-Nov-30 05:02 CET  85 days     heidelberg.yaroscloud.com
202453755  heidelberg.yaroscloud.com  2017-Sep-01 06:01 CEST  2017-Nov-30 05:01 CET  85 days     heidelberg.yaroscloud.com
202453066  heidelberg.yaroscloud.com  2017-Sep-01 06:00 CEST  2017-Nov-30 05:00 CET  85 days     heidelberg.yaroscloud.com
182058317  heidelberg.yaroscloud.com  2017-Aug-01 06:38 CEST  2017-Oct-30 05:38 CET  54 days     heidelberg.yaroscloud.com

You have 2 options:

1.- Wait till 8th September to try to renew your cert.
2.- Add one more subdomain/domain to the certificate so you are not reaching the 5 certs limit per same subset of domains per 7 days.

Note: Revoking a certificate has no effects on rate limits and if your private key has not been compromised there is no need to revoke a certificate.

Cheers,
sahsanu


#5

thank you, very match for answering mr sahsanu
but , I haven’t create any certificate again or renew this date
I remeber that I had created or try renew on sunday , I’m sorry but i don’t remember i’m confused . where can I see this log or information , like that table pls , because in my logs’ ? I dont see pls .
thanks again


#6

This table is the output from @sahsanu’s program lectl

The underlying data source is Comodo’s crt.sh, which is an interface to the Certificate Transparency database.

https://crt.sh/?Identity=%&iCAID=16418


#8

hi I created my certificate yesterday but

since install letsencrypt from https://github.com/letsencrypt/letsencrypt
I have this error each 30 second sometimes but when i created my cert for domain heidelberg.yaroscloud.com ,
this cert was created with this name : heidelberg.yaroscloud.com-0001 . I don’t think the problem is my configuration because I change my configuration to the previous configuration and now I have the same problem.
In my log nginx I dont see nothing.
and when I check in this page
https://certificate.revocationcheck.com
I see that my certificate not exists , but I used https://heidelberg.yaroscloud.com this morning , with errors but I used .


#9

It’s sometimes a bad sign when you have this. It means you have two separate overlapping certificates managed by Certbot, which are stored in different places. It would be a result of having use --duplicate or answering “Duplicate” to the question about whether you wanted to make a new certificate that already covered some of the names in an existing certificate.

You can find out about the locations where your certificates are stored, and what they cover, by running sudo ./letsencrypt-auto certificates. (We no longer refer to the software as letsencrypt-auto; its name was changed to Certbot more than a year ago.)


#10

I remember when I try created my certificate again and I revoke my certificate with
sudo ./letsencrypt-auto revoke -d heidelberg.yaroscloud.com --cert-path /etc/letsencrypt/live/heidelberg.yaroscloud.com/cert.pem
also I used
sudo ./letsencrypt-auto certonly --server https://acme-staging.api.letsencrypt.org/directory
and then create cert I suposse like this create heidelberg.yaroscloud.com-0001 , beacause I couldn’t before.

ubuntu@ip-172-30-0-147:/opt/letsencrypt$ sudo ./letsencrypt-auto certificates
sudo: unable to resolve host ip-172-30-0-147
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewal configuration file /etc/letsencrypt/renewal/heidelberg.yaroscloud.com.conf produced an unexpected error: renewal config file {} is missing a required file reference. Skipping.


Found the following certs:
Certificate Name: heidelberg.yaroscloud.com-0001
Domains: heidelberg.yaroscloud.com
Expiry Date: 2017-12-16 16:59:00+00:00 (VALID: 88 days)
Certificate Path: /etc/letsencrypt/live/heidelberg.yaroscloud.com-0001/fullchain.pem
Private Key Path: /etc/letsencrypt/live/heidelberg.yaroscloud.com-0001/privkey.pem

The following renewal configuration files were invalid:
/etc/letsencrypt/renewal/heidelberg.yaroscloud.com.conf

================================================

before yesterday I delete all log of certbot I do not know what else I can do please, thank you very much for your comments


#11

It sounds like you edited /etc/letsencrypt/renewal/heidelberg.yaroscloud.com.conf in a way that made it invalid. Could you post the contents of that file?


#13

sure I have to files :

heidelberg.yaroscloud.com-0001.conf
heidelberg.yaroscloud.com.conf

… in the first i have (heidelberg.yaroscloud.com-001.conf) :
renew_before_expiry = 30 days
version = 0.18.1
archive_dir = /etc/letsencrypt/archive/heidelberg.yaroscloud.com-0001
cert = /etc/letsencrypt/live/heidelberg.yaroscloud.com-0001/cert.pem
privkey = /etc/letsencrypt/live/heidelberg.yaroscloud.com-0001/privkey.pem
chain = /etc/letsencrypt/live/heidelberg.yaroscloud.com-0001/chain.pem
fullchain = /etc/letsencrypt/live/heidelberg.yaroscloud.com-0001/fullchain.pem

Options used in the renewal process
[renewalparams]
authenticator = standalone
installer = None
account = c43685e05d5de5131e8516918de4417d
and the second (heidelberg.yaroscloud.com.conf) a I hava nothing


#14

Thanks! Did you edit either of these files yourself?

Can you also show us the output of this command?

ls -l /etc/letsencrypt/live/heidelberg*/


#15

We’re wondering about the reason for the empty renewal configuration file. If you don’t know why it was empty, would you be willing to share your logs from /var/log/letsencrypt in case they might reveal the reason?


#16

sure i Have ONLY this folder heidelberg.yaroscloud.com-0001 with :

root@ip-172-30-0-147:/home/ubuntu# ls -l /etc/letsencrypt/live/heidelberg.yaroscloud.com-0001/
total 4
lrwxrwxrwx 1 root root 54 sep 17 12:59 cert.pem -> …/…/archive/heidelberg.yaroscloud.com-0001/cert5.pem
lrwxrwxrwx 1 root root 55 sep 17 12:59 chain.pem -> …/…/archive/heidelberg.yaroscloud.com-0001/chain5.pem
lrwxrwxrwx 1 root root 59 sep 17 12:59 fullchain.pem -> …/…/archive/heidelberg.yaroscloud.com-0001/fullchain5.pem
lrwxrwxrwx 1 root root 57 sep 17 12:59 privkey.pem -> …/…/archive/heidelberg.yaroscloud.com-0001/privkey5.pem
-rw-r–r-- 1 root root 543 sep 17 12:44 README


#17

thats rigth I don’t know why I have this files in my renewal :
root@ip-172-30-0-147:/etc/letsencrypt/renewal# ls -la
total 12
drwxr-xr-x 2 root root 4096 sep 18 17:04 .
drwxr-xr-x 8 root root 4096 sep 19 17:01 …
-rw-r–r-- 1 root root 555 sep 17 12:59 heidelberg.yaroscloud.com-0001.conf
-rw-r–r-- 1 root root 0 sep 17 12:26 heidelberg.yaroscloud.com.conf

but in the renewal file heidelberg.yaroscloud.com-0001.conf I have this


BUT ANOTHER RENEWAL FILE heidelberg.yaroscloud.com.conf is empty

again , thank you very much for your help.


#18

It’s pretty strange! Could you share your log files from /var/log/letsencrypt? (Maybe uploading them somewhere other than the forum because they’ll be pretty large.)


#19

sorry if are very much files , but the last is letsecnypt.log
all logs stay in here
https://s3-us-west-1.amazonaws.com/backupsyaros/test/letsencrypt.zip


#20

Thanks! Sadly, all of these files are too recent to show the underlying reason why your other renewal configuration file was empty.

They do show why you encountered the “too many certificates already issued” error. You are using --renew-by-default in an automated renewal process. The --renew-by-default option has been renamed to --force-renewal and should normally never be used in an automated task. It means “renew this now, even if a recently renewal certificate already exists”, which is likely to run into rate limits.

What we suggest running automatically instead is certbot renew, which checks to see whether each certificate is less than 30 days away from expiry before attempting to renew it.

It looks like you might have a cron job running once per minute that tries to do the --force-renewal (e.g. with * * * * * as the time specification). We think twice per day is often enough, but in any case if you switch to certbot renew instead of --force-renewal, it should stop trying to renew so frequently.


#21

hi mr schoen
i saw that my cron was * * * /2 * /home/ubuntu/scrpit.sh i thank that this run each 2 months , know I drop this cron and scrpit I was wrong, know I deleted cron and script.
but when I created my cert, this create in heidelberg.yaroscloud.com-0001. What can i do? I only need cert to heidelberg.yaroscloud.com , maybe I should revoke certificates with
sudo ./letsencrypt-auto revoke --cert-path /etc/letsencrypt/live/heidelberg.yaroscloud.com/cert.pem -d heidelberg.yaroscloud.com
and wait another week more, and recreate certificate but I have scary that they’re wrong again.

I used to:
sudo git clone https://github.com/letsencrypt/letsencrypt (in opt)
sudo ./letsencrypt-auto certonly --standalone
sudo ./letsencrypt-auto --renew-by-default certonly --standalone --email jordy@yaroslab.com -d heidelberg.yaroscloud.com (you said that use this is wrong and I will never use it again :frowning: )
so I should use
sudo ./lesencrypt-auto -d --standalone --email jordy@yaroslab.com -d heidelberg.yaroscloud.com

again thnk you mr


#22

Hi @yavinenana,

It’s not necessary to revoke certificates in this case, and it doesn’t affect the rate limit.

It could be OK that your certificate is stored in heidelberg.yaroscloud.com-0001 and your certificate might be fine now. I know I said that I was concerned about the fact that you had both heidelberg.yaroscloud.com-0001 and heidelberg.yaroscloud.com, but apparently only the first of these is working and there is not necessarily anything wrong with the certificate. Did you try configuring that certificate to be used in some application?