Help for Novice

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:alltank.co.uk

I ran this command:I didn’t at least not like this, I did it via siteground

It produced this output:
Failed to install Let’s Encrypt for staging3.alltank.co.uk.
ERROR: acmebot->create_new_order: Net::ACME2::x::ACME: “https://acme-v02.api.letsencrypt.org/acme/new-order” indicated an ACME error: 429 Too Many Requests (429 urn:ietf:params:acme:error:rateLimited (The request exceeds a rate limit) (Error creating new order :: too many certificates already issued for exact set of domains: staging3.alltank.co.uk,www.staging3.alltank.co.uk: see https://letsencrypt.org/docs/rate-limits/)). ==> Net::ACME2::x::Generic::new(‘Net::ACME2::x::ACME’, ‘“https://acme-v02.api.letsencrypt.org/acme/new-order” indicated an ACME error: 429 Too Many Requests (429 urn:ietf:params:acme:error:rateLimited (The request exceeds a rate limit) (Error creating new order :: too many certificates already issued for exact set of domains: staging3.alltank.co.uk,www.staging3.alltank.co.uk: see https://letsencrypt.org/docs/rate-limits/)).’, HASH(0x444fe80)) (called in /usr/local/lib64/perl5/Net/ACME2/X/ACME.pm at line 31) ==> Net::ACME2::x::ACME::new(‘Net::ACME2::x::ACME’, HASH(0x444fe80)) (called in /usr/local/lib64/perl5/X/Tiny.pm at line 169) ==> X::Tiny::create(‘Net::ACME2::X’, ‘ACME’, HASH(0x444fe80)) (called in /usr/local/lib64/perl5/Net/ACME2/HTTP.pm at line 159) ==> Net::ACME2::HTTP::_request(Net::ACME2::HTTP=HASH(0x4173d98), ‘POST’, ‘https://acme-v02.api.letsencrypt.org/acme/new-order’, HASH(0x4480bd0), HASH(0x442f758)) (called in /usr/local/lib64/perl5/Net/ACME2/HTTP.pm at line 181) ==> Net::ACME2::HTTP::_request_and_set_last_nonce(Net::ACME2::HTTP=HASH(0x4173d98), ‘POST’, ‘https://acme-v02.api.letsencrypt.org/acme/new-order’, HASH(0x4480bd0), HASH(0x442f758)) (called in /usr/local/lib64/perl5/Net/ACME2/HTTP.pm at line 108) ==> Net::ACME2::HTTP::_post(Net::ACME2::HTTP=HASH(0x4173d98), ‘create_key_id_jws’, ‘https://acme-v02.api.letsencrypt.org/acme/new-order’, HASH(0x42d2da0)) (called in /usr/local/lib64/perl5/Net/ACME2/HTTP.pm at line 88) ==> Net::ACME2::HTTP::post_key_id(Net::ACME2::HTTP=HASH(0x4173d98), ‘https://acme-v02.api.letsencrypt.org/acme/new-order’, HASH(0x42d2da0)) (called in /usr/local/lib64/perl5/Net/ACME2.pm at line 555) ==> Net::ACME2::_post_url(Net::ACME2::LetsEncrypt=HASH(0x4102db0), ‘https://acme-v02.api.letsencrypt.org/acme/new-order’, HASH(0x42d2da0), undef) (called in /usr/local/lib64/perl5/Net/ACME2.pm at line 537) ==> Net::ACME2::_post(Net::ACME2::LetsEncrypt=HASH(0x4102db0), ‘newOrder’, HASH(0x42d2da0)) (called in /usr/local/lib64/perl5/Net/ACME2.pm at line 315) ==> Net::ACME2::create_order(Net::ACME2::LetsEncrypt=HASH(0x4102db0), ‘identifiers’, ARRAY(0x43ea228)) (called in /usr/local/lib64/perl5/Acmebot.pm at line 94) ==> (eval)(Net::ACME2::LetsEncrypt=HASH(0x4102db0), ‘identifiers’, ARRAY(0x43ea228)) (called in /usr/local/lib64/perl5/Acmebot.pm at line 93) ==> Acmebot::create_order(Net::ACME2::LetsEncrypt=HASH(0x4102db0), ‘/etc/letsencrypt/authzs/1598366125.authzs’, ‘staging3.alltank.co.uk’, ‘www.staging3.alltank.co.uk’) (called in /usr/local/lib64/perl5/Acmebot.pm at line 182) ==> Acmebot::order_certs(Net::ACME2::LetsEncrypt=HASH(0x4102db0), ‘/etc/letsencrypt/authzs/1598366125.authzs’, ‘DNS’, HASH(0x4333898), ‘staging3.alltank.co.uk’, ‘www.staging3.alltank.co.uk’) (called in /usr/local/lib64/perl5/Acmebot.pm at line 237) ==> Acmebot::issue_cert(HASH(0x43f6fe0), HASH(0x43f6a28)) (called in lib/Avalon/Ssl.pm at line 475) ==> (eval)(HASH(0x43f6fe0), HASH(0x43f6a28)) (called in lib/Avalon/Ssl.pm at line 475) ==> Avalon::Ssl::issue_le(DBI::db=HASH(0x43f6548), HASH(0x38cc930), HASH(0x43e4b20)) (called in lib/Avalon/Ssl.pm at line 538) ==> Avalon::Ssl::create_le(HASH(0x3953d90), HASH(0x43e4b20)) (called in /home/avalon/avalon/workers/…/lib/Avalon/Utils/jobs.pm at line 186) ==> (eval)(HASH(0x3953d90), HASH(0x43e4b20)) (called in /home/avalon/avalon/workers/…/lib/Avalon/Utils/jobs.pm at line 185) ==> Avalon::Utils::jobs::task_execute(HASH(0x3953d90)) (called in /home/avalon/avalon/workers/worker.pl at line 87) ==> main::do_task(HASH(0x3953d90)) (called in /home/avalon/avalon/workers/worker.pl at line 113) ==> main::api_task_router(Gearman::Job=HASH(0x3ad5ed0)) (called in /usr/local/lib64/perl5/Gearman/Worker.pm at line 344) ==> (eval)(Gearman::Job=HASH(0x3ad5ed0)) (called in /usr/local/lib64/perl5/Gearman/Worker.pm at line 344) ==> Gearman::Worker::work(Gearman::Worker=HASH(0x3887c40)) (called in /home/avalon/avalon/workers/worker.pl at line 199) ==> main::main(‘main’) (called in /home/avalon/avalon/workers/worker.pl at line 42)

My web server is (include version):
not sure, I’m on the geek plan with siteground
The operating system my web server runs on is (include version):
not sure, I’m on the geek plan with siteground
My hosting provider, if applicable, is:
Siteground
I can log in to a root shell on my machine (yes or no, or I don’t know):
I don’t know
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
Yes Siteground Site Tools
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):?

1 Like

You’ve already issued five certificates within the past week for the same domain. Use one of them, switch to the staging server when you’re doing testing, or wait for a week from the time the first one was issued to be able to issue another one.

1 Like

@gavlar0

You can find the certificate history for your domain at https://crt.sh/?q=alltank.co.uk. It looks like you’re using certbot. In concurrence with @danb35’s suggestion, you can add --dry-run to your run to test. I don’t think you have any problem getting certificates though. I firmly believe the issue lies with the process of installing/enabling those certificates. Let’s work on that part, which you can’t use a test (dry) run to solve. You must likely want to be using certbot install to debug this part. The most common problem with installing certificates is failing to restart the webserver after updating the certificates.

1 Like

You appear to have a valid certificate for Cloudflare installed.

1 Like

Hello, thanks for your reply, the issue is that the process of installing certificates on Siteground is nothing like your suggesting, at least not for users, what we see in our control panel is shown below

We don’t get any other controls than that, and when I reach out to Siteground, they shrug their shoulders and say its because of the limits, whilst this may be true it doesn’t tell me why and what to do to either solve or avoid in the future

Yes correct we use Cloudflare on the alltank.co.uk domain, until just recently (when we discovered the cert issue) we had this enabled on the staging site too, this has been changed now and only the published site has Cloudflare on it.

Per https://crt.sh/?q=alltank.co.uk for staging3.alltank.co.uk on August 20 you had 5 certificates issued by Let’s Encrypt then another issued by Cloudflare afterwards. Therefore, the Cloudflare certificate is currently installed. You should still have the 5 Let’s Encrypt certificates (looks like 10 in the log, but 5 are precertificates) sitting on your server (along with their private keys). You simply need to install/activate any one of those five and you’re good. I believe this can probably be accomplished in the bottom section of the screen you’ve sent. In terms of the rate limits, you can only have 5 identical certificates (same domains and subdomains) issued per rolling week (i.e. any given 7-day period).

Update: the wildcard certificate you had issued by Let’s Encrypt on August 25 probably needs to be installed on the staging3.alltank.co.uk server. I’m guessing it only got installed on the www.alltank.co.uk server. I’m assuming they’re different machines.

A strong word of warning, HEED THIS WELL:
A certificate for *.alltank.co.uk does NOT cover www.staging3.alltank.co.uk. You would need a wildcard certificate for *.staging3.alltank.co.uk. I recommend stripping the www off of your staging server subdomains for security (and sanity) purposes. Additionally, you probably want to forward http to https for staging3.alltank.co.uk.