Yes, I saw the rate limit being hit, but I do not know why. Cron runs the certbot every 12 hours. This morning when I tried again to renew, after clearing the cache of my local dns servers, it came at the first try with this:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/lavaleriana.net.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator dns-cloudflare, Installer None
Renewing an existing certificate
Attempting to renew cert (lavaleriana.net) from /etc/letsencrypt/renewal/lavaleriana.net.conf produced an unexpected error: urn:ietf:params:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new order :: too many certificates already issued for exact set of domains: *.bb-stilltech.nl,*.lavaleriana.net,*.scotspine.nl,bb-stilltech.nl,lavaleriana.net,scotspine.nl: see https://letsencrypt.org/docs/rate-limits/. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/lavaleriana.net/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/lavaleriana.net/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Running post-hook command: /usr/sbin/service apache2 reload
1 renew failure(s), 0 parse failure(s)
That was at the first try, so I do not understand the rate limit error.
My letsencrypt log showed this:
2020-10-12 05:48:01,848:DEBUG:certbot.main:certbot version: 0.40.1
2020-10-12 05:48:01,851:DEBUG:certbot.main:Arguments: []
2020-10-12 05:48:01,852:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#dns-cloudflare,PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2020-10-12 05:48:01,868:DEBUG:certbot.log:Root logging level set at 20
2020-10-12 05:48:01,870:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2020-10-12 05:48:01,897:DEBUG:certbot.plugins.selection:Requested authenticator <certbot.cli._Default object at 0x7f235ffceef0> and installer <certbot.cli._Default object at 0x7f235ffceef0>
2020-10-12 05:48:01,918:DEBUG:certbot.storage:Should renew, less than 30 days before certificate expiry 2020-10-11 10:09:38 UTC.
2020-10-12 05:48:01,918:INFO:certbot.renewal:Cert is due for renewal, auto-renewing...
2020-10-12 05:48:01,919:DEBUG:certbot.plugins.selection:Requested authenticator dns-cloudflare and installer None
2020-10-12 05:48:01,922:DEBUG:certbot.plugins.selection:Single candidate plugin: * dns-cloudflare
Description: Obtain certificates using a DNS TXT record (if you are using Cloudflare for DNS).
Interfaces: IAuthenticator, IPlugin
Entry point: dns-cloudflare = certbot_dns_cloudflare.dns_cloudflare:Authenticator
Initialized: <certbot_dns_cloudflare.dns_cloudflare.Authenticator object at 0x7f235ffc3b70>
Prep: True
2020-10-12 05:48:01,924:DEBUG:certbot.plugins.selection:Selected authenticator <certbot_dns_cloudflare.dns_cloudflare.Authenticator object at 0x7f235ffc3b70> and installer None
2020-10-12 05:48:01,924:INFO:certbot.plugins.selection:Plugins selected: Authenticator dns-cloudflare, Installer None
2020-10-12 05:48:01,932:DEBUG:certbot.main:Picked account: <Account(RegistrationResource(terms_of_service='https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf', body=Registration(status=None, only_return_existing=None, terms_of_service_agreed=None
, key=JWKRSA(key=<ComparableRSAKey(<cryptography.hazmat.backends.openssl.rsa._RSAPublicKey object at 0x7f235ffdf9e8>)>), contact=('mailto:norbertk@lavaleriana.net',), external_account_binding=None, agreement='https://letsencrypt.org/documents/LE-SA-v1.1.1-Augu
st-1-2016.pdf'), new_authzr_uri='https://acme-v01.api.letsencrypt.org/acme/new-authz', uri='https://acme-v01.api.letsencrypt.org/acme/reg/5792365'), ac1a5331297eafb85c42af82970f1136, Meta(creation_host='omega-r2.lavaleriana.net', creation_dt=datetime.datetime(
2016, 11, 2, 14, 9, 34, tzinfo=<UTC>)))>
2020-10-12 05:48:01,935:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2020-10-12 05:48:01,963:DEBUG:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
2020-10-12 05:48:02,622:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 658
2020-10-12 05:48:02,623:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Mon, 12 Oct 2020 03:48:01 GMT
Content-Type: application/json
Content-Length: 658
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
{
"keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
"lpz4nhxhUKU": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
"meta": {
"caaIdentities": [
"letsencrypt.org"
],
"termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
"website": "https://letsencrypt.org"
},
"newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
"newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
"newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
"revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
}
2020-10-12 05:48:02,624:INFO:certbot.main:Renewing an existing certificate
2020-10-12 05:48:02,714:DEBUG:certbot.crypto_util:Generating key (2048 bits): /etc/letsencrypt/keys/0115_key-certbot.pem
2020-10-12 05:48:02,719:DEBUG:certbot.crypto_util:Creating CSR: /etc/letsencrypt/csr/0115_csr-certbot.pem
2020-10-12 05:48:02,720:DEBUG:acme.client:Requesting fresh nonce
2020-10-12 05:48:02,720:DEBUG:acme.client:Sending HEAD request to https://acme-v02.api.letsencrypt.org/acme/new-nonce.
2020-10-12 05:48:02,869:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "HEAD /acme/new-nonce HTTP/1.1" 200 0
2020-10-12 05:48:02,870:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Mon, 12 Oct 2020 03:48:02 GMT
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0004ow4nXpBTZN4L5BP26RX2DsG544U78KeG6pcT7YVEujg
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
2020-10-12 05:48:02,870:DEBUG:acme.client:Storing nonce: 0004ow4nXpBTZN4L5BP26RX2DsG544U78KeG6pcT7YVEujg
2020-10-12 05:48:02,871:DEBUG:acme.client:JWS payload:
b'{\n "identifiers": [\n {\n "value": "*.lavaleriana.net",\n "type": "dns"\n },\n {\n "value": "*.bb-stilltech.nl",\n "type": "dns"\n },\n {\n "value": "*.scotspine.nl",\n "type": "dns"\n },\n {\n "value": "bb-stilltech.nl",\n "type": "dns"\n },\n {\n "value": "lavaleriana.net",\n "type": "dns"\n },\n {\n "value": "scotspine.nl",\n "type": "dns"\n }\n ]\n}'
2020-10-12 05:48:02,887:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/new-order:
{
"payload": "ewogICJpZGVudGlmaWVycyI6IFsKICAgIHsKICAgICAgInZhbHVlIjogIioubGF2YWxlcmlhbmEubmV0IiwKICAgICAgInR5cGUiOiAiZG5zIgogICAgfSwKICAgIHsKICAgICAgInZhbHVlIjogIiouYmItc3RpbGx0ZWNoLm5sIiwKICAgICAgInR5cGUiOiAiZG5zIgogICAgfSwKICAgIHsKICAgICAgInZhbHVlIjogIiouc2NvdHNwaW5lLm5sIiwKICAgICAgInR5cGUiOiAiZG5zIgogICAgfSwKICAgIHsKICAgICAgInZhbHVlIjogImJiLXN0aWxsdGVjaC5ubCIsCiAgICAgICJ0eXBlIjogImRucyIKICAgIH0sCiAgICB7CiAgICAgICJ2YWx1ZSI6ICJsYXZhbGVyaWFuYS5uZXQiLAogICAgICAidHlwZSI6ICJkbnMiCiAgICB9LAogICAgewogICAgICAidmFsdWUiOiAic2NvdHNwaW5lLm5sIiwKICAgICAgInR5cGUiOiAiZG5zIgogICAgfQogIF0KfQ",
"signature": "KOxR09WxUvrJwHOur5YuSHHxqZcZDXUACmRaWi5mfQUzlBGOtOMm8Y254EENBibIxIBG8_fd9AcKsqJFqvN9S4bTdogcJpg4wqrkNG4-bfg7KL5jdXt6VyXSXUneIJ24ZgUkyykxkQHlsuDmaTe9VwWG2pahCG6dS0mWZtmowycbYDdAHow9pqmG107MgjzT3tSkI9i-PALHWIMTeWKhoRQh6stlLNHMVI7Yq-1PUxzApLVMsZyWITtzchoJ_8ciKgBve4LcokepKCHu4Y_C1aSyFRuYZWv0bTRO8XxCcVpUoHsE6vevPOaX6WyU6S5do-J63jkvvA8i_4ZOFIPd3U2J_HTPfsYI7xwEruTEy3HFaeilOu-waednQ4nZgaD84U93FHF76JvxDmUA7u08DmBigzAVRFmMwJenJbObMabqfUr4aeW1C9yFmS5BidI58xQjaQveXLTjg0WLf-godbrr8nYZuggh3A4iuuBU6uISzV-msiCHP2e7iJvvzZJ1QrXRpSgqBfeJcuBjQKgYwxxmJ6j89SzWN9iToVdB6RXLsgYDV7KKrTKDxvZgCQF6LJ6WZZG8VES1im1_o8Z-M_ydEYApIVQD4dVTBTOLoWwvGWnhtjwFI8wbUygaZ17WU7InDDwr9RgpWFzGZkXL8LZzBZPE7MnJmUMLrndnQQU",
"protected": "eyJ1cmwiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvbmV3LW9yZGVyIiwgIm5vbmNlIjogIjAwMDRvdzRuWHBCVFpONEw1QlAyNlJYMkRzRzU0NFU3OEtlRzZwY1Q3WVZFdWpnIiwgImFsZyI6ICJSUzI1NiIsICJraWQiOiAiaHR0cHM6Ly9hY21lLXYwMS5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvcmVnLzU3OTIzNjUifQ"
}
2020-10-12 05:48:03,049:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/new-order HTTP/1.1" 429 320
2020-10-12 05:48:03,050:DEBUG:acme.client:Received response:
HTTP 429
Server: nginx
Date: Mon, 12 Oct 2020 03:48:02 GMT
Content-Type: application/problem+json
Content-Length: 320
Connection: keep-alive
Boulder-Requester: 5792365
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0002fx3JcFi-Lo6pHnNdopK2hpp5McUuEDgrzEewlcH0v6M
{
"type": "urn:ietf:params:acme:error:rateLimited",
"detail": "Error creating new order :: too many certificates already issued for exact set of domains: *.bb-stilltech.nl,*.lavaleriana.net,*.scotspine.nl,bb-stilltech.nl,lavaleriana.net,scotspine.nl: see https://letsencrypt.org/docs/rate-limits/",
"status": 429
}
2020-10-12 05:48:03,051:WARNING:certbot.renewal:Attempting to renew cert (lavaleriana.net) from /etc/letsencrypt/renewal/lavaleriana.net.conf produced an unexpected error: urn:ietf:params:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new order :: too many certificates already issued for exact set of domains: *.bb-stilltech.nl,*.lavaleriana.net,*.scotspine.nl,bb-stilltech.nl,lavaleriana.net,scotspine.nl: see https://letsencrypt.org/docs/rate-limits/. Skipping.
2020-10-12 05:48:03,055:DEBUG:certbot.renewal:Traceback was:
Traceback (most recent call last):
File "/usr/local/lib/python3.5/dist-packages/certbot/renewal.py", line 449, in handle_renewal_request
main.renew_cert(lineage_config, plugins, renewal_candidate)
File "/usr/local/lib/python3.5/dist-packages/certbot/main.py", line 1208, in renew_cert
renewed_lineage = _get_and_save_cert(le_client, config, lineage=lineage)
File "/usr/local/lib/python3.5/dist-packages/certbot/main.py", line 116, in _get_and_save_cert
renewal.renew_cert(config, domains, le_client, lineage)
File "/usr/local/lib/python3.5/dist-packages/certbot/renewal.py", line 307, in renew_cert
new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key)
File "/usr/local/lib/python3.5/dist-packages/certbot/client.py", line 348, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File "/usr/local/lib/python3.5/dist-packages/certbot/client.py", line 381, in _get_order_and_authorizations
orderr = self.acme.new_order(csr_pem)
File "/usr/local/lib/python3.5/dist-packages/acme/client.py", line 884, in new_order
return self.client.new_order(csr_pem)
File "/usr/local/lib/python3.5/dist-packages/acme/client.py", line 671, in new_order
response = self._post(self.directory['newOrder'], order)
File "/usr/local/lib/python3.5/dist-packages/acme/client.py", line 95, in _post
return self.net.post(*args, **kwargs)
File "/usr/local/lib/python3.5/dist-packages/acme/client.py", line 1195, in post
return self._post_once(*args, **kwargs)
File "/usr/local/lib/python3.5/dist-packages/acme/client.py", line 1209, in _post_once
response = self._check_response(response, content_type=content_type)
File "/usr/local/lib/python3.5/dist-packages/acme/client.py", line 1064, in _check_response
raise messages.Error.from_json(jobj)
acme.messages.Error: urn:ietf:params:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new order :: too many certificates already issued for exact set of domains: *.bb-stilltech.nl,*.lavaleriana.net,*.scotspine.nl,bb-stilltech.nl,lavaleriana.net,scotspine.nl: see https://letsencrypt.org/docs/rate-limits/
2020-10-12 05:48:03,055:ERROR:certbot.renewal:All renewal attempts failed. The following certs could not be renewed:
2020-10-12 05:48:03,056:ERROR:certbot.renewal: /etc/letsencrypt/live/lavaleriana.net/fullchain.pem (failure)
2020-10-12 05:48:03,056:INFO:certbot.hooks:Running post-hook command: /usr/sbin/service apache2 reload
2020-10-12 05:48:03,310:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File "/usr/local/bin/certbot", line 11, in <module>
sys.exit(main())
File "/usr/local/lib/python3.5/dist-packages/certbot/main.py", line 1378, in main
return config.func(config, plugins)
File "/usr/local/lib/python3.5/dist-packages/certbot/main.py", line 1287, in renew
renewal.handle_renewal_request(config)
File "/usr/local/lib/python3.5/dist-packages/certbot/renewal.py", line 474, in handle_renewal_request
len(renew_failures), len(parse_failures)))
certbot.errors.Error: 1 renew failure(s), 0 parse failure(s)