Error creating new order :: too many certificates already issued for exact set of domains

comment/remove that line and others looking for stuff in /etc/letsencrypt

sudo /opt/certbot/certbot-auto --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
No names were found in your configuration files. Please enter in your domain
name(s) (comma and/or space separated) (Enter ‘c’ to cancel): satellitedelivery.com,www.satellitedelivery.com
Obtaining a new certificate
An unexpected error occurred:
There were too many requests of a given type :: Error creating new order :: too many certificates already issued for exact set of domains: satellitedelivery.com,www.satellitedelivery.com: see https://letsencrypt.org/docs/rate-limits/
Please see the logfiles in /var/log/letsencrypt for more details.

You can’t enter two names. Either one (and run certbot twice) or three.

sudo /opt/certbot/certbot-auto --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
No names were found in your configuration files. Please enter in your domain
name(s) (comma and/or space separated) (Enter ‘c’ to cancel): satellitedelivery.com
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for satellitedelivery.com
Cleaning up challenges
Unable to find a virtual host listening on port 80 which is currently needed for Certbot to prove to the CA that you control your domain. Please add a virtual host for port 80.

If this is Elastic Beanstalk, then the certificate is going to get destroyed every single time you deploy a new version of your application.

That is not going to work if you plan to use Let's Encrypt.

You either need to store the certificates off-machine, or do the normal thing and use AWS ELB + AWS ACM for SSL, or something.

1 Like

How can i store the certificates off the machine to use it

That is up to you. If you want to continue using Certbot, you could archive /etc/letsencrypt into a tarball and copy that an S3 bucket or something, and import it again when the Elastic Beanstalk server launches.

It seems like you are misusing Elastic Beanstalk, though, and that is resulting in your Let’s Encrypt troubles. If you are deploying your web application using it, then you need to consider your EC2 servers as stateless (https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/concepts.concepts.design.html). Meaning, everything you do on there can be wiped out at any moment and you will have to do it again.

For this reason, the usual design is to combine an Elastic Beanstalk application with a Load Balancer like ELB, so your SSL certificate (which is setup on the ELB and NOT on the EC2 instance) can be re-used no matter how many times the Elastic Beanstalk application gets redeployed.

ok, i will use S3 to have the certificates in a tarball. Please help me with obtaining certificates now.

Well, based on your latest error, it seems like you are missing a virtual host in your Apache configuration.

Could you show us what your current config looks like with:

sudo apachectl -t -D DUMP_VHOSTS

sudo apachectl -t -D DUMP_VHOSTS
[Sun Aug 09 08:26:38.176398 2020] [so:warn] [pid 24092] AH01574: module ssl_module is already loaded, skipping
VirtualHost configuration:
*:443 ip-172-31-43-234.ap-south-1.compute.internal (/etc/httpd/conf.d/ssl.conf:3)

OK.

You do not have any virtual hosts.

You will want to add a basic virtual host file in /etc/httpd/conf.d/, something like:

<VirtualHost *:80>
  ServerName satellitedelivery.com
  ServerAlias www.satellitedelivery.com
</VirtualHost>

so then you can later run:

sudo /opt/certbot/certbot-auto --apache -d satellitedelivery.com

Keeping in mind that because you blew through the Let’s Encrypt rate limits over the past few days, you can’t issue a certificate which contains the www subdomain as well (for the next 5 days, anyway).

MisconfigurationError: Error while running apachectl restart.
httpd not running, trying to start

[Sun Aug 09 08:35:41.918156 2020] [so:warn] [pid 25037] AH01574: module ssl_module is already loaded, skipping

Error while running apachectl restart.
httpd not running, trying to start

[Sun Aug 09 08:35:41.783446 2020] [so:warn] [pid 25025] AH01574: module ssl_module is already loaded, skipping

Sounds like the change did not lead to a valid configuration.

sudo apachectl configtest

If you don’t particularly care about Apache at this moment, you could issue the certificate with:

sudo certbot certonly --standalone -d satellitedelivery.com --pre-hook "service httpd stop" --post-hook "service httpd restart"

Thanks, Now .pem files are created.

how to set auto renewal of certificates

Since you are using certbot-auto, refer to the Set up automatic renewal section on https://certbot.eff.org/lets-encrypt/pip-other.

I have the keys in different place outside the EC2 instance. If i am setting up automatic renewal cron, would it get impacted due to new deployments ?

The entire /etc/letsencrypt directory must be restored after a new deployment, if you want autorenewal to work.

Keep in mind that this also means after a certificate is renewed, you must update the external backup with the new contents. You can do this as part of a renewal hook.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.