Error: urn:acme:error:rateLimited and expired subdomain

My domain is:

I ran this command: (using su’s crontab @monthly)
letsencrypt --apache -d -d -d -d -d certonly && service apache2 reload

Moreover when I type “certbot certificates”, it indicates that my domains are : “

Problem being, is not a correct subdomain anymore. So I suppose it tried to renew the certificates multiple times before hitting the renew limit. And now I cannot renew certificates anymore…

So what now ? What are the steps ? Do I have to clear some hidden certbot request stack ? How can I remove a subdomain as every method I saw online involve asking for a new certificate. Is there nothing I can do ?

It produced this output:

My web server is (include version):
Server version: Apache/2.4.10 (Debian)
Server built: Sep 20 2017 04:37:43

The operating system my web server runs on is (include version): Debian GNU/Linux 8.10 (jessie)

My hosting provider, if applicable, is: OVH

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no, ssh only


This is temporary, you just need to wait 1 hour to try again.

You can revoke and remove the certificate first, then issue a new certificate with those subdomains you want.
(Since renew only allow you to add new subdomains not remove existing domains)


Hi @Aryetis,

Your last 25 non expired certificates were issued without the offended domain, the last time you issued a certificate covering this domain was last year.

CRT ID     DOMAIN (CN)        VALID FROM             VALID TO               EXPIRES IN  SANs
141802079  2017-May-21 11:23 UTC  2017-Aug-19 11:23 UTC  -187 days

So I’m a bit confused since you are already issuing certificates covering the right domains without

As you removed one domain seems you have two dirs/elc/letsencrypt/live/ covering the old and expired cert and /elc/letsencrypt/live/ which seems cover your new certificate, is that possible? :wink:

If this is the case we will have a couple of options to fix it.

In this case, there is no need to revoke the cert ;).


That’s quite probably the case. Upon trying to fix my certificates (mainly by trying to use previous ones that were not yet expired), I stumbled upon tons of folder /elc/letsencrypt/live/ up to -005 … Same goes for archive/ (with multiple cert1.pem, cert2.pem, etc) and renewal/ … I also deleted them because I thought they were too old to be relevant …

Bad choice :wink:

So, could you please show the output of these commands?.

ls -l /etc/letsencrypt/{live,archive,renewal}/

cat /etc/letsencrypt/renewal/

cat /etc/letsencrypt/renewal/

letsencrypt certificates


That’s pretty much what I thought at the exact moment I deleted them… I made some backup of the live folder but that’s all … (Most of ?) The rest is gone.

Sure thing there are the results :

PS : Thanks again for the very fast answers.

Please also post:

ls -l /etc/letsencrypt/{live,archive}/
1 Like

I remember certbot complaining about the files in /etc/letsencrypt/live/ not being symlink so I (stupidly) did some symlink with some others certs just to see what would happen. The original /etc/letsencrypt/live/ 's files are stored at /etc/letsencrypt/live/BUGYBACKUP/ (output for that folder can also be found in the pastebin below)

Please, show the output of this command:

openssl x509 -in /etc/letsencrypt/archive/ -noout -text

As you wish, there it is :

That is good ;), you at least have the last certificate issued for your domains so we can work with that, in a few minutes I’ll provide a few commands to try to fix it.

1 Like

Ok, here we go.

These commands should be issued as root:

First, backup… always :stuck_out_tongue:

tar zcvf /root/backup-etc-letsencrypt_2018-Feb-22.tar.gz /etc/letsencrypt/

Now fix the mess :wink:

rm /etc/letsencrypt/archive/*3.pem
cd /etc/letsencrypt/live/
rm *.pem
ln -s ../../archive/ cert.pem
ln -s ../../archive/ privkey.pem
ln -s ../../archive/ chain.pem
ln -s ../../archive/ fullchain.pem

After that, show us the output of:

letsencrypt certificates

If you see a VALID CERTIFICATE issuing above command, restart your web server and try to access it.

Good luck,


Working like a charm. I was not that far off trying to recreate symlink I was just targeting the wrong files ^^".

letsencrypt certficates output :

Thank you very much.

1 Like

Perfect :beers:. You are welcome, I’m glad you get it working :wink:

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.