Error finalizing order :: too many certificates already issued for exact set of domains


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: www.nabu-willich.de

I ran this command: letsencrypt-auto renew

It produced this output:
Cert is due for renewal, auto-renewing…

Plugins selected: Authenticator apache, Installer apache

Renewing an existing certificate

Performing the following challenges:

http-01 challenge for www.nabu-willich.de

Waiting for verification…

Cleaning up challenges

Attempting to renew cert (www.nabu-willich.de) from /etc/letsencrypt/renewal/www.nabu-willich.de.conf produced an unexpected error: urn:ietf:params:acme:error:rateLimited :: There were too many requests of a given type :: Error finalizing order :: too many certificates already issued for exact set of domains: www.nabu-willich.de: see https://letsencrypt.org/docs/rate-limits/. Skipping.

My web server is (include version): apache 2.4.18-2ubuntu3.9

The operating system my web server runs on is (include version): ubuntu 16.04

My hosting provider, if applicable, is: strato

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 0.19.0

At Website https://crt.sh/?q=www.nabu-willich.de i see they are more then 100 Certificates, last created at 20 Jan 2019, but not created by me. Possible we have a security-Problem?
Please help, Thank you!


#2

Indeed, something has been spam-renewing your certificate:

Rate Limit Current Status Domain
50 Certificates per Registered Domain per week OK (5 / 50 this week.) nabu-willich.de
5 Duplicate Certificates per week Limit exceeded. Next issuable at 2019-01-25T22:15:55.000Z www.nabu-willich.de

Summary generated at https://tools.letsdebug.net/cert-search?m=domain&q=www.nabu-willich.de&d=168 .

In all likelihood, it was by your Certbot installation. You can check how many you are responsible for with something like:

sudo grep -R "Writing certificate to" /var/log/letsencrypt | wc -l

The very first thing you should do is upgrade Certbot by visiting https://certbot.eff.org , and we can go from there.

Having a certificate that is being renewed every day but not successfully installing to your webserver is a pretty good sign that something is going wrong inside Certbot. It may be a bug that was fixed in the long interval since 0.19 was released, so it’s really important to upgrade first and then work on fixing the issue.


#3

This is somewhat “outdated”.

Can you show the complete job that runs to renew your certs?


#4

Thank you!
I am running this command:

grep -R "Writing certificate to" /var/log/letsencrypt | wc -l
53

but this is included any other domain.
Only domain www.nabu-willich.de:

grep -R "Writing certificate to" /var/log/letsencrypt | grep www.nabu-willich.de

/var/log/letsencrypt/letsencrypt.log.415:2018-07-09 13:13:05,122:DEBUG:certbot.storage:Writing certificate to /etc/letsencrypt/live/ **www.nabu-willich.de** -0001/cert.pem.

==> only 1 request

I do the upgrade certbot and try again to renew certificate …


#5

Wow. That is a very long time ago.

I wonder if Certbot has been failing before the point where it writes the certificate to disk, but after it has caused the CA to renew the certificate.

You might be able to find a much more recent logfile involving that domain:

grep -RE 'value": "www.nabu-willich.de"' /var/log/letsencrypt

and check for the failure reason in those. You will need to ignore all of the ones that report a rate limit issue, but there should be a few with the real failure reason.


#6

certbot is upgraded to:

certbot 0.28.0

Possible the real Problem was this: (the last error before the rate-Problems)

2018-09-09 22:21:25,524:WARNING:certbot.renewal:Attempting to renew cert (www.nabu-willich.de) from /etc/letsencrypt/renewal/www.nabu-willich.de.conf produced an unexpected error: [Errno 2] No such file or directory: '/etc/letsencrypt/archive/www.nabu-willich.de/privkey2.pem'. Skipping.

But: Why we have more than 100 Certificates and no valid key??


#7

Hmmm. I think errors like that can happen when the /etc/letsencrypt/archive/ directory is interfered with manually (so things like symlinks get messed up). What then happens is that during renewal, the regular renewal process can break down because of some assumptions that Certbot relies on.

ls -la /etc/letsencrypt/live/www.nabu-willich.de/
ls -la /etc/letsencrypt/archive/www.nabu-willich.de/

BTW, the 100 certificates is more like 50, half of them are pre-certificate duplicates for certificate transparency purposes.


#8

I changed the configuration of archive dir and it works now!
Thank you for support!


closed #9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.