Error while renew


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: mydomain.com.br

I ran this command: ./certbot-auto certonly --webroot -w /home/mydomainadm/public_html --cert-name mydomain.com.br -d mydomain.com.br

and

./certboot-auto renew

It produced this output: Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for mydomain.com.br
Using the webroot path /home/mydomainadm/public_html for all unmatched domains.
Waiting for verification…
Cleaning up challenges
An unexpected error occurred:
There were too many requests of a given type :: Error finalizing order :: too many certificates already issued for exact set of domains: mydomain.com.br: see https://letsencrypt.org/docs/rate-limits/
Please see the logfiles in /var/log/letsencrypt for more details.

My web server is (include version): Server version: Apache/2.4.23 (Linux/SUSE)
Server built: 2018-01-29 10:40:58.000000000 +0000

The operating system my web server runs on is (include version): OpenSuSE - 4.4.120-45-default #1 SMP Wed Mar 14 20:51:49 UTC 2018 (623211f) x86_64 x86_64 x86_64 GNU/Linux

My hosting provider, if applicable, is: bymyself

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

Certificates crt.sh ID Logged At Not Before Not After Issuer Name
846581028 2018-10-10 2018-10-10 2019-01-08 C=US, O=Let’s Encrypt, CN=Let’s Encrypt Authority X3
846583038 2018-10-10 2018-10-10 2019-01-08 C=US, O=Let’s Encrypt, CN=Let’s Encrypt Authority X3
846577379 2018-10-10 2018-10-10 2019-01-08 C=US, O=Let’s Encrypt, CN=Let’s Encrypt Authority X3
846606512 2018-10-10 2018-10-10 2019-01-08 C=US, O=Let’s Encrypt, CN=Let’s Encrypt Authority X3
846509155 2018-10-10 2018-10-10 2019-01-08 C=US, O=Let’s Encrypt, CN=Let’s Encrypt Authority X3
846505686 2018-10-10 2018-10-10 2019-01-08 [C=US, O=Let’s

#2

You’ll want to figure out what has been issuing these duplicate certificates, because indeed you are over the rate limit.

Have you been intentionally re-issuing new certificates when Certbot has asked you?

What does this show:

./certbot-auto certificates

Make sure you reload Apache as well, because since you are using certonly, Certbot does not do this for you unless you tell it to, and it’s required in order for Apache to pick up the renewed certificate:

service httpd reload

#3

Thanks for answer!

Q: Have you been intentionally re-issuing new certificates when Certbot has asked you?
A: yes, trying solve error repeat proccess some times.

./certbot-auto certificates show:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Revocation status for /etc/letsencrypt/live/otherdomain.com.br/cert.pem is unknown


Found the following certs:
Certificate Name: mydomain.com.br
Domains: mydomain.com.br
Expiry Date: 2018-10-09 13:55:45+00:00 (INVALID: EXPIRED)
Certificate Path: /etc/letsencrypt/live/mydomain.com.br/fullchain.pem
Private Key Path: /etc/letsencrypt/live/mydomain.com.br/privkey.pem

… and others domains …


Q: Make sure you reload Apache as well,…
A: yes, I did.


#4

Hi @grm2018

what’s the problem? You have created 6 certificates:

https://transparencyreport.google.com/https/certificates?cert_search_auth=&cert_search_cert=&cert_search=include_expired:false;include_subdomains:false;domain:omnisoft.com.br&lu=cert_search

from 2018-10-08 - 2018-10-10. You use certonly, so you have to install the certificate manual.

So please do that and use that certificate the next 60 days. Then order a new.


#5

That is really weird. Are you 100% sure none of the other certificates listed are for mydomain.com.br ?

Otherwise, it would appear that Certbot issues the certificate but then doesn’t actually save it to disk. It seems unlikely though.

ls /etc/letsencrypt/live

Would you be able to check the log files from /var/log/letsencrypt/ (specifically, those that correlate to the certificates issued on 2018-10-08 and 2018-10-10) and post the contents of one?


#6

A: Sorry. Show here more subdomains listed related with mydomain.com.br

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Revocation status for /etc/letsencrypt/live/academiaandroid.com.br/cert.pem is unknown


Found the following certs:
Certificate Name: mydomain.com.br
Domains: mydomain.com.br
Expiry Date: 2018-10-09 13:55:45+00:00 (INVALID: EXPIRED)
Certificate Path: /etc/letsencrypt/live/mydomain.com.br/fullchain.pem
Private Key Path: /etc/letsencrypt/live/mydomain.com.br/privkey.pem
Certificate Name: app.mydomain.com.br
Domains: app.mydomain.com.br
Expiry Date: 2019-01-08 21:06:51+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/app.mydomain.com.br/fullchain.pem
Private Key Path: /etc/letsencrypt/live/app.mydomain.com.br/privkey.pem
Certificate Name: airb.mydomain.com.br
Domains: airb.mydomain.com.br
Expiry Date: 2019-01-06 10:35:43+00:00 (VALID: 87 days)
Certificate Path: /etc/letsencrypt/live/airb.mydomain.com.br/fullchain.pem
Private Key Path: /etc/letsencrypt/live/airb.mydomain.com.br/privkey.pem
Certificate Name: superh.mydomain.com.br
Domains: superh.mydomain.com.br
Expiry Date: 2019-01-06 10:35:20+00:00 (VALID: 87 days)
Certificate Path: /etc/letsencrypt/live/superh.mydomain.com.br/fullchain.pem
Private Key Path: /etc/letsencrypt/live/superh.mydomain.com.br/privkey.pem



#7

Thanks Juergen. Please can you tell me how to manual install cert?


#8

Check your Apache configuration file. There must be something like

<VirtualHost *:443>
    SSLEngine on
    SSLCertificateFile /etc/ssl/certs/apache.crt
    SSLCertificateKeyFile /etc/ssl/private/apache.key

Replace these two files

/etc/ssl/certs/apache.crt
/etc/ssl/private/apache.key

with the files listet per

certbot certificates

select the correct certificate, use these files. Then restart / reload your server.

If that works, you should delete (certbot delete) duplicated certificates.


#9

Really I did a mistake creating 6 certs like google transp. shows:

Assunto Emissora Nº de nomes de DNS Válido desde Válido até Nº de registros de transparência de certificados
mydomain.com.br Let’s Encrypt Authority X3 1 10 de out de 2018 8 de jan de 2019 1 Ver detalhes
mydomain.com.br Let’s Encrypt Authority X3 1 10 de out de 2018 8 de jan de 2019 2 Ver detalhes
mydomain.com.br Let’s Encrypt Authority X3 1 8 de out de 2018 6 de jan de 2019 2 Ver detalhes
mydomain.com.br Let’s Encrypt Authority X3 1 10 de out de 2018 8 de jan de 2019 1 Ver detalhes
mydomain.com.br Let’s Encrypt Authority X3 1 10 de out de 2018 8 de jan de 2019 1 Ver detalhes
mydomain.com.br Let’s Encrypt Authority X3 1 8 de out de 2018 6 de jan de 2019 1 Ver detalhes

So, how can I solve this on my cserver, manually installing this?

Thank you,


#10

something wrong?

certbot certificates

Saving debug log to /var/log/certbot/letsencrypt.log


No certs found.


#11

Please list all the steps you have done. There is the answer.


#12

Remembering…

step 1:
./certbot-auto certonly --webroot -w /home/mydomain/public_html --cert-name mydomain.com.br -d mydomain.com.br
this not solve

step2:
./certboot-auto renew
this not solve too

I try this steps some times (6 exact) to try solve.

Additiona info: my cert was running fine to last saturday. So validate date was expired and I start the renew procedure, resulting in thus issue, caused for my low domain with certboot tools.


#13

There

you have a lot of certificates and the information of the file names and paths.


#14

you have a lot of certificates and the information of the file names and paths.

Yes, I understand and did check. The paths and config files are correct.

The problem I suspect is related with the limit of times a certificate can be renewed.


#15

Hello!
For help somebody with same problem.
Solution was:
find files on /etc/letsencrypt/archive/mydomain.com.br
check dates for most recent files, in my case cert4.pem, chain4.pem, fullchain4.pem and privkey4.pem, like show below:

-rw-r–r-- 1 root root 2155 Apr 7 2018 cert1.pem
-rw-r–r-- 1 root root 2179 Apr 8 2018 cert2.pem
-rw-r–r-- 1 root root 2155 Oct 10 19:06 cert4.pem <-- most recent
-rw-r–r-- 1 root root 1647 Apr 7 2018 chain1.pem
-rw-r–r-- 1 root root 1647 Apr 8 2018 chain2.pem
-rw-r–r-- 1 root root 1647 Oct 10 19:06 chain4.pem <-- most recent
-rw-r–r-- 1 root root 3802 Apr 7 2018 fullchain1.pem
-rw-r–r-- 1 root root 3826 Apr 8 2018 fullchain2.pem
-rw-r–r-- 1 root root 3802 Oct 10 19:06 fullchain4.pem <-- most recent
-rw-r–r-- 1 root root 1704 Apr 7 2018 privkey1.pem
-rw-r–r-- 1 root root 1704 Apr 8 2018 privkey2.pem
-rw-r–r-- 1 root root 1704 Oct 10 19:06 privkey4.pem <-- most recent

use ln command to update the symbolic link of files on folder /etc/letsencrypt/live/mydomain.com.br like this:
cd /etc/letsencrypt/live/mydomain.com.br
ln -sf …/…/archive/mydomain.com.br/cert4.pem cert.pem
ln -sf …/…/archive/mydomain.com.br/chain4.pem chain.pem
ln -sf …/…/archive/mydomain.com.br/fullchain4.pem fullchain.pem
ln -sf …/…/archive/mydomain.com.br/privkey4.pem privkey.pem
rcapache2 reload

problem solved!

Thanks all for help me.


#16

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.