Error creating new order :too many certificates

Hello,
I am not able to access sites where certificates were installed. I got email, that auto renweal failed. So when I checked both sites on Ceritfy SSL app, it was showing failed. When I tried to renew, then it failed saying Error creating new ordder: too many certificates. So I re-fetched last certificate and then it was showing renewal succesful but site were still not accessible. So I tried deleting certificate for deepaksapkale.com
Now when I tried to get new certificate I get same error "Error creating new order: too many certificates"
so at momeny, deepaksapkale.com certificate is not able to renew and other site even though certificate was re-fetched, site is still down and throw error "ERR_SSL_PROTOCOL_ERROR".
My domain is:
deepaksapkale.com ( tried deleting it, now cannot renew)
researchtech.net (renews succesfully manuall but site still not accesible)

please help

This is just for your problem with researchtech.net

I try to curl your site and get this error:

curl -I https://researchtech.net

curl: (35) error:0407008A:rsa routines:RSA_padding_check_PKCS1_type_1:invalid padding

This can happen if you edit the certificate and add the wrong line endings. I see your server is Windows IIS so could you have manually edited the cert with an editor which put CRLF as line endings when they should just be LF? If you did not do that, then review the other steps you took after the cert was made - something changed the cert.

What client are you using to request certs?

1 Like

Hi
I did not change anything. In fact site was last update me 2 months ago. Only yesterday I had received email from verify that auto renewal is failing. Before that site was working. This is definitely from Certify side because I haven’t done any changes.
About the file you are saying, where cna we modify it.

@consultdeepak I do not know what to tell you. Someone changed the certificates on your site recently and they are no longer working. The current cert was issued Oct 1. See:
https://crt.sh/?Identity=researchtech.net&deduplicate=Y

Also:

from openssl:

Certificate chain
 0 s:/CN=researchtech.net
   i:/C=US/O=Let's Encrypt/CN=R3
 1 s:/C=US/O=Let's Encrypt/CN=R3
   i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1

subject= /CN=researchtech.net
issuer= /C=US/O=Let's Encrypt/CN=R3
notBefore=Oct  1 13:33:03 2021 GMT
notAfter=Dec 30 13:33:02 2021 GMT

There may have been an auto-renewal on Oct 1. But, no normal Lets Encrypt client would produce broken certificates.

The chain above is the 'short chain'. Maybe someone got the default 'long chain' and manually edited it to create the 'short chain' and broke it. That would be my guess.

And mine too.
Have a look at the chain.pem or fullchain.pem files being served.

Also, maybe quicker to the chase, who else can admin that server?
Have you spoken with them about this?

1 Like

@consultdeepak Are you using the Certify the Web client? If so, you might want to refer to this topic of theirs:

There are a number of topics which talk about some of your errors.

Hi,

Your renewal is failing because your service has an outdated root certificate store and it doesn't (or didn't) know what ISRG Root X1 was, which caused the PFX build/verify to fail. You subsequently hit the rate limit because Certify The Web saw the renewal failed and tried again later. Until recently a PFX build failure was a rare occurrence, not so now, clearly we need to think of ways around this particular problem in the future.

To recover:

  • Install the latest version of Certify The Web (v5.5.5), this will ensure your trust store is in good shape.
  • Reboot your server to clear cached chains
  • Manually edit your website https bindings in IIS to set your certificate back to a recent version (Certify The Web only cleans up expired certs by default).

You will now have normal working websites.

Then you need to fix whatever renewal setup you deleted, I'd suggest waiting a week for your Let's Encrypt rate limits to expire then try your renewal again. If you already have it all setup and it's just failing, the app will recover automatically when your Let's Encrypt rate limits expires. Alternatively you can switch to a different certificate authority.

The weird openssl error @MikeMcQ pointed out is indeed very unusual, I'm assuming that will be OK once you've rebooted and fixed your https bindings.

3 Likes

2 posts were merged into an existing topic: SSL Not Generating

I have updated the Certify the web to 5.5.5 and rebooted server and also IIS binding are set to latest certificate but still issue persists.

Thanks, ok that was step 1 & 2, have you recreated your IIS https bindings yet?

1 Like

yes, i deleted binding and reapplied but it still shows same problem. this is what shows in bindings..image_2021-10-08_143021

Great! Your researchtech.net website is now working.

If you now have your managed certificate set up and ready to renew in Certify The Web you just need to wait until your Let's Encrypt rate limit expires in a few days then your renewals will start again as normal. I would suggest checking them in a couple of weeks to make sure it's all renewing ok.

For your deepaksapkale.com website you still need to fix the https bindings as it's currently incorrectly using the cert for researchtech.net.

2 Likes

I did same thing with researchtech.net and it was not working but now suddently it is working. about deepaksapkale.com, I had deleted binding yesterday, and I can't re-issue until limit expires. so i will be using deepaksapkale.com without ssl until this limit expire.

One thing, I am sure, whenever I am making changes, they don't reflect. so either amazon aws is doing something or Certify the web because in few hours also, I applied same certificate from list. rebooted and restarted IIS , thing didn't change.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.