Error rate limit when trying to renew

I’m trying to renew my SSL as it expired today and I’m receiving this (domain hidden for privacy reasons):

root@web:~# /opt/letsencrypt/certbot-auto renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/example.com-0001.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Traceback (most recent call last):
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/renewal.py", line 65, in _reconstitute
    renewal_candidate = storage.RenewableCert(full_path, config)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/storage.py", line 462, in __init__
    self._check_symlinks()
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/storage.py", line 521, in _check_symlinks
    "expected {0} to be a symlink".format(link))
CertStorageError: expected /etc/letsencrypt/live/example.com-0001/cert.pem to be a symlink
Renewal configuration file /etc/letsencrypt/renewal/example.com-0001.conf is broken. Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/example.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Attempting to renew cert (example.com) from /etc/letsencrypt/renewal/example.com.conf produced an unexpected error: urn:ietf:params:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new order :: too many certificates already issued for exact set of domains: example.com: see https://letsencrypt.org/docs/rate-limits/. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/example.com/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/example.com/fullchain.pem (failure)

Additionally, the following renewal configurations were invalid:
  /etc/letsencrypt/renewal/example.com-0001.conf (parsefail)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 1 parse failure(s)

Please answer the questionnaire, without hiding your domain.

Additionally, please show “ls -alR /etc/letsencrypt/{archive,live,renewal}”.

It’s likely that Certbot’s directory structure is damaged, and every time you run renew it (tries to) issue a certificate and subsequently fails to save it.


Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

The command produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

1 Like

My domain is:

https://crt.sh/?q=hack.bg

The command output:

ls -alR /etc/letsencrypt/{archive,live,renewal}

root@hack-web:~# ls -alR /etc/letsencrypt/{archive,live,renewal}
/etc/letsencrypt/archive:
total 20
drwx------ 5 root root 4096 Apr 12 08:29 .
drwxr-xr-x 9 root root 4096 Apr 13 12:35 …
drwxr-xr-x 2 root root 4096 Apr 12 08:36 hack.bg
drwxr-xr-x 2 root root 4096 Jan 12 09:13 hack.bg-0001
drwxr-xr-x 2 root root 4096 Oct 30 22:57 hack.bg.archive

/etc/letsencrypt/archive/hack.bg:
total 88
drwxr-xr-x 2 root root 4096 Apr 12 08:36 .
drwx------ 5 root root 4096 Apr 12 08:29 …
-rw-r–r-- 1 root root 1793 Apr 12 08:36 cert1.pem
-rw-r–r-- 1 root root 2147 Apr 12 08:36 cert2.pem
-rw-r–r-- 1 root root 2151 Apr 12 08:36 cert3.pem
-rw-r–r-- 1 root root 2147 Apr 12 08:36 cert4.pem
-rw-r–r-- 1 root root 2151 Apr 12 08:36 cert5.pem
-rw-r–r-- 1 root root 1647 Apr 12 08:36 chain1.pem
-rw-r–r-- 1 root root 1647 Apr 12 08:36 chain2.pem
-rw-r–r-- 1 root root 1647 Apr 12 08:36 chain3.pem
-rw-r–r-- 1 root root 1647 Apr 12 08:36 chain4.pem
-rw-r–r-- 1 root root 1647 Apr 12 08:36 chain5.pem
-rw-r–r-- 1 root root 3440 Apr 12 08:36 fullchain1.pem
-rw-r–r-- 1 root root 3794 Apr 12 08:36 fullchain2.pem
-rw-r–r-- 1 root root 3798 Apr 12 08:36 fullchain3.pem
-rw-r–r-- 1 root root 3794 Apr 12 08:36 fullchain4.pem
-rw-r–r-- 1 root root 3798 Apr 12 08:36 fullchain5.pem
-rw-r–r-- 1 root root 1704 Apr 12 08:36 privkey1.pem
-rw-r–r-- 1 root root 1704 Apr 12 08:36 privkey2.pem
-rw-r–r-- 1 root root 1704 Apr 12 08:36 privkey3.pem
-rw-r–r-- 1 root root 1708 Apr 12 08:36 privkey4.pem
-rw-r–r-- 1 root root 1708 Apr 12 08:36 privkey5.pem

/etc/letsencrypt/archive/hack.bg-0001:
total 24
drwxr-xr-x 2 root root 4096 Jan 12 09:13 .
drwx------ 5 root root 4096 Apr 12 08:29 …
-rw-r–r-- 1 root root 1891 Jan 12 09:13 cert1.pem
-rw-r–r-- 1 root root 1647 Jan 12 09:13 chain1.pem
-rw-r–r-- 1 root root 3538 Jan 12 09:13 fullchain1.pem
-rw-r–r-- 1 root root 1708 Jan 12 09:13 privkey1.pem

/etc/letsencrypt/archive/hack.bg.archive:
total 88
drwxr-xr-x 2 root root 4096 Oct 30 22:57 .
drwx------ 5 root root 4096 Apr 12 08:29 …
-rw-r–r-- 1 root root 1793 Feb 20 2018 cert1.pem
-rw-r–r-- 1 root root 2147 May 3 2018 cert2.pem
-rw-r–r-- 1 root root 2151 May 3 2018 cert3.pem
-rw-r–r-- 1 root root 2147 Aug 1 2018 cert4.pem
-rw-r–r-- 1 root root 2151 Oct 30 22:57 cert5.pem
-rw-r–r-- 1 root root 1647 Feb 20 2018 chain1.pem
-rw-r–r-- 1 root root 1647 May 3 2018 chain2.pem
-rw-r–r-- 1 root root 1647 May 3 2018 chain3.pem
-rw-r–r-- 1 root root 1647 Aug 1 2018 chain4.pem
-rw-r–r-- 1 root root 1647 Oct 30 22:57 chain5.pem
-rw-r–r-- 1 root root 3440 Feb 20 2018 fullchain1.pem
-rw-r–r-- 1 root root 3794 May 3 2018 fullchain2.pem
-rw-r–r-- 1 root root 3798 May 3 2018 fullchain3.pem
-rw-r–r-- 1 root root 3794 Aug 1 2018 fullchain4.pem
-rw-r–r-- 1 root root 3798 Oct 30 22:57 fullchain5.pem
-rw-r–r-- 1 root root 1704 Feb 20 2018 privkey1.pem
-rw-r–r-- 1 root root 1704 May 3 2018 privkey2.pem
-rw-r–r-- 1 root root 1704 May 3 2018 privkey3.pem
-rw-r–r-- 1 root root 1708 Aug 1 2018 privkey4.pem
-rw-r–r-- 1 root root 1708 Oct 30 22:57 privkey5.pem

/etc/letsencrypt/live:
total 16
drwx------ 4 root root 4096 Jan 12 09:24 .
drwxr-xr-x 9 root root 4096 Apr 13 12:35 …
drwxr-xr-x 2 root root 4096 Apr 12 08:31 hack.bg
drwxr-xr-x 2 root root 4096 Oct 30 22:57 hack.bg.old

/etc/letsencrypt/live/hack.bg:
total 12
drwxr-xr-x 2 root root 4096 Apr 12 08:31 .
drwx------ 4 root root 4096 Jan 12 09:24 …
lrwxrwxrwx 1 root root 36 Apr 12 08:31 cert.pem -> …/…/archive/hack.bg-0001/cert1.pem
lrwxrwxrwx 1 root root 37 Apr 12 08:31 chain.pem -> …/…/archive/hack.bg-0001/chain1.pem
lrwxrwxrwx 1 root root 41 Apr 12 08:31 fullchain.pem -> …/…/archive/hack.bg-0001/fullchain1.pem
lrwxrwxrwx 1 root root 39 Apr 12 08:31 privkey.pem -> …/…/archive/hack.bg-0001/privkey1.pem
-rw-r–r-- 1 root root 543 Jan 12 09:13 README

/etc/letsencrypt/live/hack.bg.old:
total 12
drwxr-xr-x 2 root root 4096 Oct 30 22:57 .
drwx------ 4 root root 4096 Jan 12 09:24 …
lrwxrwxrwx 1 root root 31 Oct 30 22:57 cert.pem -> …/…/archive/hack.bg/cert5.pem
lrwxrwxrwx 1 root root 32 Oct 30 22:57 chain.pem -> …/…/archive/hack.bg/chain5.pem
lrwxrwxrwx 1 root root 36 Oct 30 22:57 fullchain.pem -> …/…/archive/hack.bg/fullchain5.pem
lrwxrwxrwx 1 root root 34 Oct 30 22:57 privkey.pem -> …/…/archive/hack.bg/privkey5.pem
-rw-r–r-- 1 root root 543 Feb 20 2018 README

/etc/letsencrypt/renewal:
total 16
drwxr-xr-x 2 root root 4096 Apr 12 14:20 .
drwxr-xr-x 9 root root 4096 Apr 13 12:35 …
-rw-r–r-- 1 root root 517 Jan 12 09:13 hack.bg-0001.conf
-rw-r–r-- 1 root root 494 Apr 12 08:31 hack.bg.conf

The operating system is:

Ubuntu 17.10 (GNU/Linux 4.13.0-39-generic x86_64)

The hosting is:

Linode

I can login to a root shell on my machine (yes or no, or I don’t know): YES
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): NO

Hi @what

removing the precertificates you have created 5 identical certificates in less then 10 minutes ( https://check-your-website.server-daten.de/?q=hack.bg ):

CRT-Id Issuer not before not after Domain names LE-Duplicate next LE
1381707852 CN=Let’s Encrypt Authority X3, O=Let’s Encrypt, C=US 2019-04-12 05:34:28 2019-07-11 05:34:28 hack.bg duplicate nr. 5 next Letsencrypt certificate: 2019-04-19 05:27:18
1381697596 CN=Let’s Encrypt Authority X3, O=Let’s Encrypt, C=US 2019-04-12 05:30:56 2019-07-11 05:30:56 hack.bg duplicate nr. 4
1381693096 CN=Let’s Encrypt Authority X3, O=Let’s Encrypt, C=US 2019-04-12 05:29:39 2019-07-11 05:29:39 hack.bg duplicate nr. 3
1381693094 CN=Let’s Encrypt Authority X3, O=Let’s Encrypt, C=US 2019-04-12 05:28:48 2019-07-11 05:28:48 hack.bg duplicate nr. 2
1381685219 CN=Let’s Encrypt Authority X3, O=Let’s Encrypt, C=US 2019-04-12 05:27:18 2019-07-11 05:27:18 hack.bg duplicate nr. 1

Looks like hack.bg.old cert5 is your last certificate.

So you should have enough certificates.

What says

certbot certificates

What’s the result of

certbot update_symlinks
1 Like

What says
certbot certificates

root@hack-web:~# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Attempting to parse the version 0.33.1 renewal configuration file found at /etc/letsencrypt/renewal/hack.bg.conf with version 0.17.0 of Certbot. This might not work.
Revocation status for /etc/letsencrypt/live/hack.bg/cert.pem is unknown

-------------------------------------------------------------------------------
Found the following certs:
  Certificate Name: hack.bg-0001
    Domains: hack.bg
    Expiry Date: 2019-04-12 08:13:51+00:00 (INVALID: EXPIRED)
    Certificate Path: /etc/letsencrypt/live/hack.bg-0001/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/hack.bg-0001/privkey.pem
  Certificate Name: hack.bg
    Domains: hack.bg,www.hack.bg
    Expiry Date: 2018-05-21 08:37:02+00:00 (INVALID: EXPIRED)
    Certificate Path: /etc/letsencrypt/live/hack.bg/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/hack.bg/privkey.pem
-------------------------------------------------------------------------------

What’s the result of
certbot update_symlinks

root@hack-web:~# certbot update_symlinks
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Attempting to parse the version 0.33.1 renewal configuration file found at /etc/letsencrypt/renewal/hack.bg.conf with version 0.17.0 of Certbot. This might not work.

Looks like you have changed a lot of things.

Perhaps:

Copy the 5* files from

/etc/letsencrypt/archive/hack.bg

to another place. Find your Apache vHost of that domain, then use these files directly. Recheck your domain if the certificate is valid.

One week later delete the content of live / archive/ renewal (first, make a backup), then start new.

The 5-th one says “Expired: Monday, 28 January 2019 at 23:57:21 Eastern European Standard Time”.

Then check all other certificates.

There are two options:

  • You have a valid certificate
  • You have to wait

You can create a new certificate with another set of domain names. But your Certbot doesn’t work, so that solution may not work.

Or you use another client to create a certificate with another set of domain names (non-www and www).

Or you use another client to create a certificate with another set of domain names (non-www and www).

When I try issuing a certificate on another client it won’t accept the webroot I’ve provided as it is not present there. Is there some workaround?

Another Letsencrypt client software.

Or use certbot on another machine and use dns + --manual + certonly, that should always work. Then you don’t need a running webserver.

1 Like

Thank you :slight_smile: @JuergenAuer

Now you have created a new certificate with both domain names ( https://check-your-website.server-daten.de/?q=hack.bg ):

CN=www.hack.bg
	13.04.2019
	12.07.2019
expires in 90 days	hack.bg, www.hack.bg - 2 entries

But there are some errors.

Your non-www works, your www uses the old certificate:

Domainname Http-Status redirect Sec. G
http://hack.bg/
172.104.234.16 301 https://hack.bg/ 0.034 A
http://hack.bg/
2a01:7e01::f03c:91ff:fe7f:e19f 301 https://hack.bg/ 0.036 A
http://www.hack.bg/
172.104.234.16 301 https://www.hack.bg/ 0.053 A
http://www.hack.bg/
2a01:7e01::f03c:91ff:fe7f:e19f 301 https://www.hack.bg/ 0.033 A
https://www.hack.bg/
172.104.234.16 301 https://hack.bg/ 0.533 N
Certificate error: RemoteCertificateChainErrors
https://www.hack.bg/
2a01:7e01::f03c:91ff:fe7f:e19f 301 https://hack.bg/ 0.223 N
Certificate error: RemoteCertificateChainErrors
https://hack.bg/
172.104.234.16 200 0.637 B
https://hack.bg/
2a01:7e01::f03c:91ff:fe7f:e19f 200 0.327 B

And your chain is wrong - duplicate certificates:

Chain - duplicate certificates 1 CN=www.hack.bg
2 CN=www.hack.bg
3 CN=Let’s Encrypt Authority X3, O=Let’s Encrypt, C=US

Looks like you use cert.pem and fullchain.pem, remove cert.pem.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.