Error creating new order :: too many certificates already issued for exact set of domains

letsgochamp · May 4, 2020, 9:08pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:peepsamurai.com

I ran this command:./certbot-auto certonly --manual --preferred-challenges=dns --email ecp@hypermediasystems.com --server https://acme-v02.api.letsencrypt.org/directory --agree-tos -d *.peepsamurai.com -d peepsamurai.com

It produced this output:
An unexpected error occurred:

There were too many requests of a given type :: Error creating new order :: too many certificates already issued for exact set of domains: *.peepsamurai.com,peepsamurai.com: see https://letsencrypt.org/docs/rate-limits/

cat /var/log/letsencrypt/letsencrypt.log

2020-05-04 20:49:07,116:DEBUG:certbot._internal.main:certbot version: 1.3.0
2020-05-04 20:49:07,118:DEBUG:certbot._internal.main:Arguments: [’–manual’, ‘–preferred-challenges=dns’, ‘–email’, ‘ecp@hypermediasystems.com’, ‘–server’, ‘https://acme-v02.api.letsencrypt.org/directory’, ‘–agree-tos’, ‘-d’, ‘*.peepsamurai.com’, ‘-d’, ‘peepsamurai.com’]
2020-05-04 20:49:07,118:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2020-05-04 20:49:07,133:DEBUG:certbot._internal.log:Root logging level set at 20
2020-05-04 20:49:07,134:INFO:certbot._internal.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2020-05-04 20:49:07,135:DEBUG:certbot._internal.plugins.selection:Requested authenticator manual and installer None
2020-05-04 20:49:07,139:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * manual
Description: Manual configuration or run your own shell scripts
Interfaces: IAuthenticator, IPlugin
Entry point: manual = certbot._internal.plugins.manual:Authenticator
Initialized: <certbot._internal.plugins.manual.Authenticator object at 0x7f47735489b0>
Prep: True
2020-05-04 20:49:07,140:DEBUG:certbot._internal.plugins.selection:Selected authenticator <certbot._internal.plugins.manual.Authenticator object at 0x7f47735489b0> and installer None
2020-05-04 20:49:07,140:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator manual, Installer None
2020-05-04 20:49:07,144:DEBUG:certbot._internal.main:Picked account: <Account(RegistrationResource(body=Registration(key=None, contact=(), agreement=None, status=None, terms_of_service_agreed=None, only_return_existing=None, external_account_binding=None), uri=‘https://acme-v02.api.letsencrypt.org/acme/acct/53562939’, new_authzr_uri=None, terms_of_service=None), fc85a1dc9f9362f7eb78260a9b76b7cc, Meta(creation_dt=datetime.datetime(2019, 3, 18, 23, 54, 38, tzinfo=), creation_host=‘r115’))>
2020-05-04 20:49:07,145:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2020-05-04 20:49:07,147:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org:443
2020-05-04 20:49:07,383:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 “GET /directory HTTP/1.1” 200 658
2020-05-04 20:49:07,384:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Mon, 04 May 2020 20:49:07 GMT
Content-Type: application/json
Content-Length: 658
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
“keyChange”: “https://acme-v02.api.letsencrypt.org/acme/key-change”,
“meta”: {
“caaIdentities”: [
“letsencrypt.org”
],
“termsOfService”: “https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf”,
“website”: “https://letsencrypt.org”
},
“newAccount”: “https://acme-v02.api.letsencrypt.org/acme/new-acct”,
“newNonce”: “https://acme-v02.api.letsencrypt.org/acme/new-nonce”,
“newOrder”: “https://acme-v02.api.letsencrypt.org/acme/new-order”,
“revokeCert”: “https://acme-v02.api.letsencrypt.org/acme/revoke-cert”,
“yZfyvY6msnI”: “Adding random entries to the directory”
}
2020-05-04 20:49:07,389:INFO:certbot._internal.main:Obtaining a new certificate
2020-05-04 20:49:07,647:DEBUG:certbot.crypto_util:Generating key (2048 bits): /etc/letsencrypt/keys/0015_key-certbot.pem
2020-05-04 20:49:07,649:DEBUG:certbot.crypto_util:Creating CSR: /etc/letsencrypt/csr/0015_csr-certbot.pem
2020-05-04 20:49:07,650:DEBUG:acme.client:Requesting fresh nonce
2020-05-04 20:49:07,650:DEBUG:acme.client:Sending HEAD request to https://acme-v02.api.letsencrypt.org/acme/new-nonce.
2020-05-04 20:49:07,690:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 “HEAD /acme/new-nonce HTTP/1.1” 200 0
2020-05-04 20:49:07,690:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Mon, 04 May 2020 20:49:07 GMT
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel=“index”
Replay-Nonce: 0002AmLoZQzwGV1EvVU_m1VRT6HC3mk4QrJ6X2mTa07iSck
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

2020-05-04 20:49:07,690:DEBUG:acme.client:Storing nonce: 0002AmLoZQzwGV1EvVU_m1VRT6HC3mk4QrJ6X2mTa07iSck
2020-05-04 20:49:07,691:DEBUG:acme.client:JWS payload:
b’{\n “identifiers”: [\n {\n “type”: “dns”,\n “value”: “*.peepsamurai.com”\n },\n {\n “type”: “dns”,\n “value”: “peepsamurai.com”\n }\n ]\n}’
2020-05-04 20:49:07,693:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/new-order:
{
“protected”: “eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvNTM1NjI5MzkiLCAibm9uY2UiOiAiMDAwMkFtTG9aUXp3R1YxRXZWVV9tMVZSVDZIQzNtazRRcko2WDJtVGEwN2lTY2siLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL25ldy1vcmRlciJ9”,
“signature”: “VVlV9rm4tSu_JBYK_Cjg2Iefgy9AqJDMdIYpTjWUL1RCa8lciQINeR2BNm8c4ofz5kVhHdRcuoXXwsto0_x_m7ErPAcv_R_Dfmm8pMYUm66ZcOmxdq2yaXAzPPIP42srYaT0QDyj30gCbvqTqwPtv_SG-jc90R0oXC8yBwexBsZKqBW654qQzNLRuXujoJuX4MWwvwWRLv15l8cShxLmm9mmVCQekYGagfArBN2NPb6OiiGkpqTgqWVcgvwcLGmBsyB5cKUTRDVud_a-fca5IoYap476AW_30UaKSLzbvhGTdv5omyqzrPHavMoDRlRt5MLU94wA22q8wZWksBaNng”,
“payload”: “ewogICJpZGVudGlmaWVycyI6IFsKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwKICAgICAgInZhbHVlIjogIioucGVlcHNhbXVyYWkuY29tIgogICAgfSwKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwKICAgICAgInZhbHVlIjogInBlZXBzYW11cmFpLmNvbSIKICAgIH0KICBdCn0”
}
2020-05-04 20:49:07,756:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 “POST /acme/new-order HTTP/1.1” 429 258
2020-05-04 20:49:07,757:DEBUG:acme.client:Received response:
HTTP 429
Server: nginx
Date: Mon, 04 May 2020 20:49:07 GMT
Content-Type: application/problem+json
Content-Length: 258
Connection: keep-alive
Boulder-Requester: 53562939
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel=“index”
Replay-Nonce: 0002fUcYEgBSzW6VcRI3uWwyyIhq4jtlPQfqPG5wrchQctg

{
“type”: “urn:ietf:params:acme:error:rateLimited”,
“detail”: “Error creating new order :: too many certificates already issued for exact set of domains: *.peepsamurai.com,peepsamurai.com: see https://letsencrypt.org/docs/rate-limits/”,
“status”: 429
}
2020-05-04 20:49:07,757:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
File “/opt/eff.org/certbot/venv/bin/letsencrypt”, line 11, in
load_entry_point(‘letsencrypt==0.7.0’, ‘console_scripts’, ‘letsencrypt’)()
File “/opt/eff.org/certbot/venv/lib64/python3.6/site-packages/certbot/main.py”, line 15, in main
return internal_main.main(cli_args)
File “/opt/eff.org/certbot/venv/lib64/python3.6/site-packages/certbot/_internal/main.py”, line 1347, in main
return config.func(config, plugins)
File “/opt/eff.org/certbot/venv/lib64/python3.6/site-packages/certbot/_internal/main.py”, line 1233, in certonly
lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
File “/opt/eff.org/certbot/venv/lib64/python3.6/site-packages/certbot/_internal/main.py”, line 121, in _get_and_save_cert
lineage = le_client.obtain_and_enroll_certificate(domains, certname)
File “/opt/eff.org/certbot/venv/lib64/python3.6/site-packages/certbot/_internal/client.py”, line 410, in obtain_and_enroll_certificate
cert, chain, key, _ = self.obtain_certificate(domains)
File “/opt/eff.org/certbot/venv/lib64/python3.6/site-packages/certbot/_internal/client.py”, line 344, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File “/opt/eff.org/certbot/venv/lib64/python3.6/site-packages/certbot/_internal/client.py”, line 376, in _get_order_and_authorizations
orderr = self.acme.new_order(csr_pem)
File “/opt/eff.org/certbot/venv/lib64/python3.6/site-packages/acme/client.py”, line 863, in new_order
return self.client.new_order(csr_pem)
File “/opt/eff.org/certbot/venv/lib64/python3.6/site-packages/acme/client.py”, line 666, in new_order
response = self._post(self.directory[‘newOrder’], order)
File “/opt/eff.org/certbot/venv/lib64/python3.6/site-packages/acme/client.py”, line 95, in _post
return self.net.post(*args, **kwargs)
File “/opt/eff.org/certbot/venv/lib64/python3.6/site-packages/acme/client.py”, line 1174, in post
return self._post_once(*args, **kwargs)
File “/opt/eff.org/certbot/venv/lib64/python3.6/site-packages/acme/client.py”, line 1187, in _post_once
response = self._check_response(response, content_type=content_type)
File “/opt/eff.org/certbot/venv/lib64/python3.6/site-packages/acme/client.py”, line 1045, in _check_response
raise messages.Error.from_json(jobj)
acme.messages.Error: urn:ietf:params:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new order :: too many certificates already issued for exact set of domains: *.peepsamurai.com,peepsamurai.com: see https://letsencrypt.org/docs/rate-limits/
2020-05-04 20:49:07,759:ERROR:certbot._internal.log:An unexpected error occurred:
2020-05-04 20:49:07,759:ERROR:certbot._internal.log:There were too many requests of a given type :: Error creating new order :: too many certificates already issued for exact set of domains: *.peepsamurai.com,peepsamurai.com: see https://letsencrypt.org/docs/rate-limits/

My web server is (include version):Apache

The operating system my web server runs on is (include version):linux

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):1.3.0

hi,
I moved certbot tool and the certs to a new server. When I tried to renew it, it output domain-001 suffix. I didn’t want the 001 suffix, so I deleted the certs. However I renewed too many times and didn’t keep a copy of the certs. Now my certs will be expired in 5 days. I can’t wait 1 week to renew it, what can I do?

stevenzhu · May 4, 2020, 9:41pm

Rate Limit doc: Rate Limits - Let's Encrypt
You've hit the Duplicate Certificate limit, so you'll need actually to wait until that limit expires.
Source: https://check-your-website.server-daten.de/?q=peepsamurai.com
Let's Debug Toolkit
11 May 2020 15:10:46 UTC is the next time you can request the same set of certificates.

There is only one way to bypass the rate limit:

A certificate is considered a renewal (or a duplicate) of an earlier certificate if it contains the same set of hostnames, ignoring capitalization and ordering of hostnames. For instance, if you requested a certificate for the names [ www.example.com, example.com ], you could request four more certificates for [ www.example.com, example.com ] during the week. If you changed the set of hostnames by adding [ blog.example.com ], you would be able to request additional certificates.

A tip: You are using Route53 as your DNS provider, and certbot-auto has integration for that (so you don't need to manually add records and issue new certificate when renew, just use the ./certbot-auto renew if you setup correctly). See this thread for more information: Example of using certbot-auto with Route 53 DNS?

letsgochamp · May 4, 2020, 10:06pm

11 May 2020 15:10:46 UTC is the next time you can request the same set of certificates.

My certs will expire at (Sun, 10 May 2020 18:40:14 UTC (expires in 5 days, 20 hours). I can't wait till 11 May 2020 15:10:46 UTC.

There is only one way to bypass the rate limit:
If you changed the set of hostnames by adding [ blog.example.com ], you would be able to request additional certificates.

I'm using wildcard *.domain.com domain.com. I can't bypass the rate limit by changed the set of hostname

mnordhoff · May 6, 2020, 4:09am

You could get two certificates, or you could add a different domain, or a different subdomain like foo.bar.example.com.

Edit:

It may also be possible to use one of your previous certificates -- Certbot keeps a second copy of the private keys in /etc/letsencrypt/keys/. If you still have those, you could download a matching certificate and use them. (Reconstructing all of Certbot's configuration files would be harder.)

system · June 5, 2020, 4:15am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.