Error rate limit when trying to renew

#1

I’m trying to renew my SSL as it expired today and I’m receiving this (domain hidden for privacy reasons):

root@web:~# /opt/letsencrypt/certbot-auto renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/example.com-0001.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Traceback (most recent call last):
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/renewal.py", line 65, in _reconstitute
    renewal_candidate = storage.RenewableCert(full_path, config)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/storage.py", line 462, in __init__
    self._check_symlinks()
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/storage.py", line 521, in _check_symlinks
    "expected {0} to be a symlink".format(link))
CertStorageError: expected /etc/letsencrypt/live/example.com-0001/cert.pem to be a symlink
Renewal configuration file /etc/letsencrypt/renewal/example.com-0001.conf is broken. Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/example.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Attempting to renew cert (example.com) from /etc/letsencrypt/renewal/example.com.conf produced an unexpected error: urn:ietf:params:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new order :: too many certificates already issued for exact set of domains: example.com: see https://letsencrypt.org/docs/rate-limits/. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/example.com/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/example.com/fullchain.pem (failure)

Additionally, the following renewal configurations were invalid:
  /etc/letsencrypt/renewal/example.com-0001.conf (parsefail)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 1 parse failure(s)
#2

Please answer the questionnaire, without hiding your domain.

Additionally, please show “ls -alR /etc/letsencrypt/{archive,live,renewal}”.

It’s likely that Certbot’s directory structure is damaged, and every time you run renew it (tries to) issue a certificate and subsequently fails to save it.


Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

The command produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

1 Like
#3

My domain is:

https://crt.sh/?q=hack.bg

The command output:

ls -alR /etc/letsencrypt/{archive,live,renewal}

root@hack-web:~# ls -alR /etc/letsencrypt/{archive,live,renewal}
/etc/letsencrypt/archive:
total 20
drwx------ 5 root root 4096 Apr 12 08:29 .
drwxr-xr-x 9 root root 4096 Apr 13 12:35 …
drwxr-xr-x 2 root root 4096 Apr 12 08:36 hack.bg
drwxr-xr-x 2 root root 4096 Jan 12 09:13 hack.bg-0001
drwxr-xr-x 2 root root 4096 Oct 30 22:57 hack.bg.archive

/etc/letsencrypt/archive/hack.bg:
total 88
drwxr-xr-x 2 root root 4096 Apr 12 08:36 .
drwx------ 5 root root 4096 Apr 12 08:29 …
-rw-r–r-- 1 root root 1793 Apr 12 08:36 cert1.pem
-rw-r–r-- 1 root root 2147 Apr 12 08:36 cert2.pem
-rw-r–r-- 1 root root 2151 Apr 12 08:36 cert3.pem
-rw-r–r-- 1 root root 2147 Apr 12 08:36 cert4.pem
-rw-r–r-- 1 root root 2151 Apr 12 08:36 cert5.pem
-rw-r–r-- 1 root root 1647 Apr 12 08:36 chain1.pem
-rw-r–r-- 1 root root 1647 Apr 12 08:36 chain2.pem
-rw-r–r-- 1 root root 1647 Apr 12 08:36 chain3.pem
-rw-r–r-- 1 root root 1647 Apr 12 08:36 chain4.pem
-rw-r–r-- 1 root root 1647 Apr 12 08:36 chain5.pem
-rw-r–r-- 1 root root 3440 Apr 12 08:36 fullchain1.pem
-rw-r–r-- 1 root root 3794 Apr 12 08:36 fullchain2.pem
-rw-r–r-- 1 root root 3798 Apr 12 08:36 fullchain3.pem
-rw-r–r-- 1 root root 3794 Apr 12 08:36 fullchain4.pem
-rw-r–r-- 1 root root 3798 Apr 12 08:36 fullchain5.pem
-rw-r–r-- 1 root root 1704 Apr 12 08:36 privkey1.pem
-rw-r–r-- 1 root root 1704 Apr 12 08:36 privkey2.pem
-rw-r–r-- 1 root root 1704 Apr 12 08:36 privkey3.pem
-rw-r–r-- 1 root root 1708 Apr 12 08:36 privkey4.pem
-rw-r–r-- 1 root root 1708 Apr 12 08:36 privkey5.pem

/etc/letsencrypt/archive/hack.bg-0001:
total 24
drwxr-xr-x 2 root root 4096 Jan 12 09:13 .
drwx------ 5 root root 4096 Apr 12 08:29 …
-rw-r–r-- 1 root root 1891 Jan 12 09:13 cert1.pem
-rw-r–r-- 1 root root 1647 Jan 12 09:13 chain1.pem
-rw-r–r-- 1 root root 3538 Jan 12 09:13 fullchain1.pem
-rw-r–r-- 1 root root 1708 Jan 12 09:13 privkey1.pem

/etc/letsencrypt/archive/hack.bg.archive:
total 88
drwxr-xr-x 2 root root 4096 Oct 30 22:57 .
drwx------ 5 root root 4096 Apr 12 08:29 …
-rw-r–r-- 1 root root 1793 Feb 20 2018 cert1.pem
-rw-r–r-- 1 root root 2147 May 3 2018 cert2.pem
-rw-r–r-- 1 root root 2151 May 3 2018 cert3.pem
-rw-r–r-- 1 root root 2147 Aug 1 2018 cert4.pem
-rw-r–r-- 1 root root 2151 Oct 30 22:57 cert5.pem
-rw-r–r-- 1 root root 1647 Feb 20 2018 chain1.pem
-rw-r–r-- 1 root root 1647 May 3 2018 chain2.pem
-rw-r–r-- 1 root root 1647 May 3 2018 chain3.pem
-rw-r–r-- 1 root root 1647 Aug 1 2018 chain4.pem
-rw-r–r-- 1 root root 1647 Oct 30 22:57 chain5.pem
-rw-r–r-- 1 root root 3440 Feb 20 2018 fullchain1.pem
-rw-r–r-- 1 root root 3794 May 3 2018 fullchain2.pem
-rw-r–r-- 1 root root 3798 May 3 2018 fullchain3.pem
-rw-r–r-- 1 root root 3794 Aug 1 2018 fullchain4.pem
-rw-r–r-- 1 root root 3798 Oct 30 22:57 fullchain5.pem
-rw-r–r-- 1 root root 1704 Feb 20 2018 privkey1.pem
-rw-r–r-- 1 root root 1704 May 3 2018 privkey2.pem
-rw-r–r-- 1 root root 1704 May 3 2018 privkey3.pem
-rw-r–r-- 1 root root 1708 Aug 1 2018 privkey4.pem
-rw-r–r-- 1 root root 1708 Oct 30 22:57 privkey5.pem

/etc/letsencrypt/live:
total 16
drwx------ 4 root root 4096 Jan 12 09:24 .
drwxr-xr-x 9 root root 4096 Apr 13 12:35 …
drwxr-xr-x 2 root root 4096 Apr 12 08:31 hack.bg
drwxr-xr-x 2 root root 4096 Oct 30 22:57 hack.bg.old

/etc/letsencrypt/live/hack.bg:
total 12
drwxr-xr-x 2 root root 4096 Apr 12 08:31 .
drwx------ 4 root root 4096 Jan 12 09:24 …
lrwxrwxrwx 1 root root 36 Apr 12 08:31 cert.pem -> …/…/archive/hack.bg-0001/cert1.pem
lrwxrwxrwx 1 root root 37 Apr 12 08:31 chain.pem -> …/…/archive/hack.bg-0001/chain1.pem
lrwxrwxrwx 1 root root 41 Apr 12 08:31 fullchain.pem -> …/…/archive/hack.bg-0001/fullchain1.pem
lrwxrwxrwx 1 root root 39 Apr 12 08:31 privkey.pem -> …/…/archive/hack.bg-0001/privkey1.pem
-rw-r–r-- 1 root root 543 Jan 12 09:13 README

/etc/letsencrypt/live/hack.bg.old:
total 12
drwxr-xr-x 2 root root 4096 Oct 30 22:57 .
drwx------ 4 root root 4096 Jan 12 09:24 …
lrwxrwxrwx 1 root root 31 Oct 30 22:57 cert.pem -> …/…/archive/hack.bg/cert5.pem
lrwxrwxrwx 1 root root 32 Oct 30 22:57 chain.pem -> …/…/archive/hack.bg/chain5.pem
lrwxrwxrwx 1 root root 36 Oct 30 22:57 fullchain.pem -> …/…/archive/hack.bg/fullchain5.pem
lrwxrwxrwx 1 root root 34 Oct 30 22:57 privkey.pem -> …/…/archive/hack.bg/privkey5.pem
-rw-r–r-- 1 root root 543 Feb 20 2018 README

/etc/letsencrypt/renewal:
total 16
drwxr-xr-x 2 root root 4096 Apr 12 14:20 .
drwxr-xr-x 9 root root 4096 Apr 13 12:35 …
-rw-r–r-- 1 root root 517 Jan 12 09:13 hack.bg-0001.conf
-rw-r–r-- 1 root root 494 Apr 12 08:31 hack.bg.conf

The operating system is:

Ubuntu 17.10 (GNU/Linux 4.13.0-39-generic x86_64)

The hosting is:

Linode

I can login to a root shell on my machine (yes or no, or I don’t know): YES
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): NO

#4

Hi @what

removing the precertificates you have created 5 identical certificates in less then 10 minutes ( https://check-your-website.server-daten.de/?q=hack.bg ):

CRT-Id Issuer not before not after Domain names LE-Duplicate next LE
1381707852 CN=Let’s Encrypt Authority X3, O=Let’s Encrypt, C=US 2019-04-12 05:34:28 2019-07-11 05:34:28 hack.bg duplicate nr. 5 next Letsencrypt certificate: 2019-04-19 05:27:18
1381697596 CN=Let’s Encrypt Authority X3, O=Let’s Encrypt, C=US 2019-04-12 05:30:56 2019-07-11 05:30:56 hack.bg duplicate nr. 4
1381693096 CN=Let’s Encrypt Authority X3, O=Let’s Encrypt, C=US 2019-04-12 05:29:39 2019-07-11 05:29:39 hack.bg duplicate nr. 3
1381693094 CN=Let’s Encrypt Authority X3, O=Let’s Encrypt, C=US 2019-04-12 05:28:48 2019-07-11 05:28:48 hack.bg duplicate nr. 2
1381685219 CN=Let’s Encrypt Authority X3, O=Let’s Encrypt, C=US 2019-04-12 05:27:18 2019-07-11 05:27:18 hack.bg duplicate nr. 1

Looks like hack.bg.old cert5 is your last certificate.

So you should have enough certificates.

What says

certbot certificates

What’s the result of

certbot update_symlinks
1 Like
#5

What says
certbot certificates

root@hack-web:~# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Attempting to parse the version 0.33.1 renewal configuration file found at /etc/letsencrypt/renewal/hack.bg.conf with version 0.17.0 of Certbot. This might not work.
Revocation status for /etc/letsencrypt/live/hack.bg/cert.pem is unknown

-------------------------------------------------------------------------------
Found the following certs:
  Certificate Name: hack.bg-0001
    Domains: hack.bg
    Expiry Date: 2019-04-12 08:13:51+00:00 (INVALID: EXPIRED)
    Certificate Path: /etc/letsencrypt/live/hack.bg-0001/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/hack.bg-0001/privkey.pem
  Certificate Name: hack.bg
    Domains: hack.bg,www.hack.bg
    Expiry Date: 2018-05-21 08:37:02+00:00 (INVALID: EXPIRED)
    Certificate Path: /etc/letsencrypt/live/hack.bg/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/hack.bg/privkey.pem
-------------------------------------------------------------------------------

What’s the result of
certbot update_symlinks

root@hack-web:~# certbot update_symlinks
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Attempting to parse the version 0.33.1 renewal configuration file found at /etc/letsencrypt/renewal/hack.bg.conf with version 0.17.0 of Certbot. This might not work.
#6

Looks like you have changed a lot of things.

Perhaps:

Copy the 5* files from

/etc/letsencrypt/archive/hack.bg

to another place. Find your Apache vHost of that domain, then use these files directly. Recheck your domain if the certificate is valid.

One week later delete the content of live / archive/ renewal (first, make a backup), then start new.

#7

The 5-th one says “Expired: Monday, 28 January 2019 at 23:57:21 Eastern European Standard Time”.

#8

Then check all other certificates.

There are two options:

  • You have a valid certificate
  • You have to wait

You can create a new certificate with another set of domain names. But your Certbot doesn’t work, so that solution may not work.

Or you use another client to create a certificate with another set of domain names (non-www and www).

#9

Or you use another client to create a certificate with another set of domain names (non-www and www).

When I try issuing a certificate on another client it won’t accept the webroot I’ve provided as it is not present there. Is there some workaround?

#10

Another Letsencrypt client software.

Or use certbot on another machine and use dns + --manual + certonly, that should always work. Then you don’t need a running webserver.

1 Like
#11

Thank you :slight_smile: @JuergenAuer

#12

Now you have created a new certificate with both domain names ( https://check-your-website.server-daten.de/?q=hack.bg ):

CN=www.hack.bg
	13.04.2019
	12.07.2019
expires in 90 days	hack.bg, www.hack.bg - 2 entries

But there are some errors.

Your non-www works, your www uses the old certificate:

Domainname Http-Status redirect Sec. G
http://hack.bg/
172.104.234.16 301 https://hack.bg/ 0.034 A
http://hack.bg/
2a01:7e01::f03c:91ff:fe7f:e19f 301 https://hack.bg/ 0.036 A
http://www.hack.bg/
172.104.234.16 301 https://www.hack.bg/ 0.053 A
http://www.hack.bg/
2a01:7e01::f03c:91ff:fe7f:e19f 301 https://www.hack.bg/ 0.033 A
https://www.hack.bg/
172.104.234.16 301 https://hack.bg/ 0.533 N
Certificate error: RemoteCertificateChainErrors
https://www.hack.bg/
2a01:7e01::f03c:91ff:fe7f:e19f 301 https://hack.bg/ 0.223 N
Certificate error: RemoteCertificateChainErrors
https://hack.bg/
172.104.234.16 200 0.637 B
https://hack.bg/
2a01:7e01::f03c:91ff:fe7f:e19f 200 0.327 B

And your chain is wrong - duplicate certificates:

Chain - duplicate certificates 1 CN=www.hack.bg
2 CN=www.hack.bg
3 CN=Let’s Encrypt Authority X3, O=Let’s Encrypt, C=US

Looks like you use cert.pem and fullchain.pem, remove cert.pem.

1 Like