Error creating new order :: too many certificates already issued for exact set of domains

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
qa-cluster3-qa1-core.api-dev.prov.clinical6.com
I ran this command:
I am trying to fetch the tls certificate using letsencrypt in my ambassador endpoint gateway.
It produced this output:
:

Error (obtaining tlsSecret "qa-cluster3-qa1-core.api-dev.prov.clinical6.com"."qa1" (hostnames=["qa-cluster3-qa1-core.api-dev.prov.clinical6.com"]): acme: error: 429 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rateLimited :: Error creating new order :: too many certificates already issued for exact set of domains: qa-cluster3-qa1-core.api-dev.prov.clinical6.com: see https://letsencrypt.org/docs/rate-limits/, url: )
My web server is (include version): Kubernetes POD

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

1 Like

Use one of the 5 previously issued certificates this week.

You're issuing quite a lot of certs for this specific hostname: https://crt.sh/?q=qa-cluster3-qa1-core.api-dev.prov.clinical6.com&deduplicate=y Use one of those.

Infact, you or your company is pretty good in hogging the Let's Encrypt infrastructure if I may say so, if you look at a label lower: https://crt.sh/?q=api-dev.prov.clinical6.com&deduplicate=y Some I understand, but I say many, many duplicate certificates, which shouldn't be necessary. And that is costing Let's Encrypt resources.

2 Likes

can you help me , how can I use the duplicate ones or if it is possible can you consider for this time and delete all the duplicate .certs and provide a new one. i am waiting for that .due to this our whole automation is down. could you help us in that regard.

That's client application and software specific. I don't have any experience with Kubernetes, sorry. Perhaps someone else on this Community knows how "Kubernetes POD" works.

There is nothing to delete. Also, the resources have been spent when your software requested the certificates and consequently Let's Encrypt issued those certificates.

As said, use any of the previously issued certificates. It's not Let's Encrypts fault you're not running your ACME client the way you should run it. Issue a certificate just once and then actually use it. Store it on a persistent location, not a location part of some container which might be deleted, including the certificate.

2 Likes

Stating this another way:

Your integration with LetsEncrypt is poorly designed. If you are not responsible for this, you should escalate the issue internally with your supervisors.

The LetsEncrypt certificates are not intended to be ephemeral. They should not be generated and discarded as you spin up new virtual machines. Your company likely needs to use a centralized certificate manager or figure out how to store certificates for local re-use.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.