Error: urn:acme:error:rateLimited and expired subdomain

My domain is: hijackedbrain.com

I ran this command: (using su’s crontab @monthly)
letsencrypt --apache -d hijackedbrain.com -d git.hijackedbrain.com -d safe.hijackedbrain.com -d wip.hijackedbrain.com -d horde.hijackedbrain.com certonly && service apache2 reload

Moreover when I type “certbot certificates”, it indicates that my domains are : “hijackedbrain.com git.hijackedbrain.com horde.hijackedbrain.com pic.hijackedbrain.com safe.hijackedbrain.com wip.hijackedbrain.com

Problem being, pic.hijackedbrain.com is not a correct subdomain anymore. So I suppose it tried to renew the certificates multiple times before hitting the renew limit. And now I cannot renew certificates anymore…

So what now ? What are the steps ? Do I have to clear some hidden certbot request stack ? How can I remove a subdomain as every method I saw online involve asking for a new certificate. Is there nothing I can do ?

It produced this output: https://pastebin.com/Mr2gbT5S

My web server is (include version):
Server version: Apache/2.4.10 (Debian)
Server built: Sep 20 2017 04:37:43

The operating system my web server runs on is (include version): Debian GNU/Linux 8.10 (jessie)

My hosting provider, if applicable, is: OVH

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no, ssh only

Hi,

This is temporary, you just need to wait 1 hour to try again.

You can revoke and remove the certificate first, then issue a new certificate with those subdomains you want.
(Since renew only allow you to add new subdomains not remove existing domains)

Thanks

Hi @Aryetis,

Your last 25 non expired certificates were issued without the offended domain pic.hijackedbrain.com, the last time you issued a certificate covering this domain was last year.

CRT ID     DOMAIN (CN)        VALID FROM             VALID TO               EXPIRES IN  SANs
141802079  hijackedbrain.com  2017-May-21 11:23 UTC  2017-Aug-19 11:23 UTC  -187 days   git.hijackedbrain.com
                                                                                        hijackedbrain.com
                                                                                        horde.hijackedbrain.com
                                                                                        pic.hijackedbrain.com
                                                                                        safe.hijackedbrain.com
                                                                                        wip.hijackedbrain.com

So I’m a bit confused since you are already issuing certificates covering the right domains without pic.hijackedbrain.com.

As you removed one domain seems you have two dirs/elc/letsencrypt/live/hijackedbrain.com/ covering the old and expired cert and /elc/letsencrypt/live/hijackedbrain.com-0001/ which seems cover your new certificate, is that possible? :wink:

If this is the case we will have a couple of options to fix it.

In this case, there is no need to revoke the cert ;).

Cheers,
sahsanu

That’s quite probably the case. Upon trying to fix my certificates (mainly by trying to use previous ones that were not yet expired), I stumbled upon tons of folder /elc/letsencrypt/live/hijackedbrain.com-0001/ up to -005 … Same goes for archive/ (with multiple cert1.pem, cert2.pem, etc) and renewal/ … I also deleted them because I thought they were too old to be relevant …

Bad choice :wink:

So, could you please show the output of these commands?.

ls -l /etc/letsencrypt/{live,archive,renewal}/

cat /etc/letsencrypt/renewal/hijackedbrain.com.conf

cat /etc/letsencrypt/renewal/hijackedbrain.com-0001.conf

letsencrypt certificates

Cheers,
sahsanu

That’s pretty much what I thought at the exact moment I deleted them… I made some backup of the live folder but that’s all … (Most of ?) The rest is gone.

Sure thing there are the results : https://pastebin.com/AdgXyiBS

PS : Thanks again for the very fast answers.

Please also post:

ls -l /etc/letsencrypt/{live,archive}/hijackedbrain.com/
1 Like

I remember certbot complaining about the files in /etc/letsencrypt/live/hijackedbrain.com/ not being symlink so I (stupidly) did some symlink with some others certs just to see what would happen. The original /etc/letsencrypt/live/hijackedbrain.com/ 's files are stored at /etc/letsencrypt/live/BUGYBACKUP/ (output for that folder can also be found in the pastebin below)

https://pastebin.com/7wWCXWxf

Please, show the output of this command:

openssl x509 -in /etc/letsencrypt/archive/hijackedbrain.com/cert2.pem -noout -text

As you wish, there it is : https://pastebin.com/WqSCue6J

That is good ;), you at least have the last certificate issued for your domains so we can work with that, in a few minutes I’ll provide a few commands to try to fix it.

1 Like

Ok, here we go.

These commands should be issued as root:

First, backup… always :stuck_out_tongue:

tar zcvf /root/backup-etc-letsencrypt_2018-Feb-22.tar.gz /etc/letsencrypt/

Now fix the mess :wink:

rm /etc/letsencrypt/archive/hijackedbrain.com/*3.pem
cd /etc/letsencrypt/live/hijackedbrain.com/
rm *.pem
ln -s ../../archive/hijackedbrain.com/cert2.pem cert.pem
ln -s ../../archive/hijackedbrain.com/privkey2.pem privkey.pem
ln -s ../../archive/hijackedbrain.com/chain2.pem chain.pem
ln -s ../../archive/hijackedbrain.com/fullchain2.pem fullchain.pem

After that, show us the output of:

letsencrypt certificates

If you see a VALID CERTIFICATE issuing above command, restart your web server and try to access it.

Good luck,
sahsanu

2 Likes

Working like a charm. I was not that far off trying to recreate symlink I was just targeting the wrong files ^^".

letsencrypt certficates output : https://pastebin.com/4eQD2qme

Thank you very much.

1 Like

Perfect :beers:. You are welcome, I’m glad you get it working :wink:

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.