Error finalizing order :: too many certificates already issued

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: core.fidelissd.com

I ran this command: letsencrypt certonly --standalone --renew-by-default -d core.fidelissd.com
It produced this output:
An unexpected error occurred:
There were too many requests of a given type :: Error finalizing order :: too many certificates already issued for exact set of domains: core.fidelissd.com: see https://letsencrypt.org/docs/rate-limits/
P
My web server is (include version):Apache/2.4.25 (Ubuntu)

The operating system my web server runs on is (include version):Ubuntu

My hosting provider, if applicable, is: AWS EC2

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): NA

2

Even when I am checking the limit using the debug URL it still says I’ve not exhaused the limit, link to check limit exhaustion below
https://tools.letsdebug.net/cert-search?m=domain&q=core.fidelissd.com&d=168

3

Hi @ermandeepsidhu

there are a lot of certificates created:

Two yesterday, one 2019-03-01, two 2019-02-28 etc.

Why don't you use one of these certificates?

Create one certificate, then use it 60 - 85 days, then create the next.

1 Like
4

Thank you for your prompt response Juergen, but I only ran the command to issue two other certificates yesterday partner.fidelissd.com and cdn.fidelissd.com using the command below

letsencrypt certonly --standalone --renew-by-default -d partner.fidelissd.com

letsencrypt certonly --standalone --renew-by-default -d cdn.fidelissd.com

letsencrypt certonly --standalone --renew-by-default -d core.fidelissd.com (Failed on this one)

Additionally, where can I see the generated certificates on the server if at all they exist? I don’t mind using them if they are valid.

5

First update your client. "Letsencrypt" is very old, too old. You may use tls-sni-01 - validation, this is deprecated, support ends 2019-03-~~.

Use

certbot certificates

to check the certificates.

6

Thanks again, that was helpful, I’ve downloaded the PEM file from the link you shared, but the private key .pem doesn’t match now, where should I look to download that?

7

The private key is private, nothing to share.

So if you don't have the private key (if you have deleted it), you have to wait.

8

I am assuming the private key file is generated every time? If not can I use one of my old cert renewal private key files? The question is, when the certbot was auto renewing these certs, where was it placing the private key files? Can I please know the location of the generated files? “certbot certificates” only displays me the list of certificates in /live directory.

9

Are you completely sure you can't issue a new certificate right now? There's only 4 certificates issued for that domain in the current 7 day window, according to CT logs.

Yeah, they're in /etc/letsencrypt/keys/, but it might be tough to identify the right one.

10

Seems like it, still getting the rate limit error (logs below)
root@core:/etc/letsencrypt/live/core.fidelissd.com# certbot certonly --standalone -d core.fidelissd.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn’t close to expiry.
(ref: /etc/letsencrypt/renewal/core.fidelissd.com.conf)

What would you like to do?

1: Keep the existing certificate for now
2: Renew & replace the cert (limit ~5 per 7 days)

Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 2
Renewing an existing certificate
An unexpected error occurred:
There were too many requests of a given type :: Error creating new order :: too many certificates already issued for exact set of domains: core.fidelissd.com: see https://letsencrypt.org/docs/rate-limits/
Please see the logfiles in /var/log/letsencrypt for more details.
r

11

You have a valid certificate. So use that.

12

Each certificate's private key is in privkey.pem in the same live directory, if that's what you're asking.

13

I downloaded the pem file from the link you shared and uploaded it to the directory, that’s why it’s saying certificate is valid, but apche won’t start as the privatekey.pem file doesn’t match up.

14

Failing apache log
[Fri Mar 08 00:14:52.858418 2019] [ssl:emerg] [pid 26053:tid 140634018043776] AH02565: Certificate and private key core.fidelissd.com:443:0 from /etc/letsencrypt/live/core.fidelissd.com/cert.pem and /etc/letsencrypt/live/core.fidelissd.com/privkey.pem do not match

15

You can track down the correct private key, if it exists, like this:

find /etc/letsencrypt/keys -type f | xargs -I % sh -c 'openssl rsa -in % -noout -modulus | grep -q $(openssl x509 -in /etc/letsencrypt/live/core.fidelissd.com/cert.pem -noout -modulus) && echo %'

Good luck.

16

Gives no output at all.

17

Which means you don’t have the key at all, so you can forget about using that certificate. You can try with some of the other certificates you’ve issued as well.

18

Ok forgetting initiated :slight_smile: Thanks for your help!

19

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.