Help me my site says too many certificates already issued for exact set of domains

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: selz.shop

I ran this command: Generate SSL Certificate for both www & non-www version of domain

It produced this output:
ERROR: CREATE_ORDER:LEClient\Exceptions\LEConnectorException: Invalid response: 429 (Error creating new order :: too many certificates already issued for exact set of domains: selz.shop,www.selz.shop: see https://letsencrypt.org/docs/rate-limits/) in /home/selzshop/domains/selz.shop/public_html/wp-content/plugins/wp-letsencrypt-ssl/lib/Exceptions/LEConnectorException.php:80
Stack trace:
#0 /home/selzshop/domains/selz.shop/public_html/wp-content/plugins/wp-letsencrypt-ssl/lib/LEConnector.php(165): LEClient\Exceptions\LEConnectorException::InvalidResponseException(Array)
#1 /home/selzshop/domains/selz.shop/public_html/wp-content/plugins/wp-letsencrypt-ssl/lib/LEConnector.php(193): LEClient\LEConnector->request(‘POST’, ‘https://acme-v0…’, ‘{“protected”:"e…’)
#2 /home/selzshop/domains/selz.shop/public_html/wp-content/plugins/wp-letsencrypt-ssl/lib/LEOrder.php(178): LEClient\LEConnector->post(‘https://acme-v0…’, ‘{“protected”:"e…’)
#3 /home/selzshop/domains/selz.shop/public_html/wp-content/plugins/wp-letsencrypt-ssl/lib/LEOrder.php(158): LEClient\LEOrder->createOrder(Array, ‘’, ‘’)
#4 /home/selzshop/domains/selz.shop/public_html/wp-content/plugins/wp-letsencrypt-ssl/lib/LEClient.php(171): LEClient\LEOrder->__construct(Object(LEClient\LEConnector), 1, Array, ‘selz.shop’, Array, ‘rsa-2048’, ‘’, ‘’)
#5 /home/selzshop/domains/selz.shop/public_html/wp-content/plugins/wp-letsencrypt-ssl/classes/le-core.php(181): LEClient\LEClient->getOrCreateOrder(‘selz.shop’, Array)
#6 /home/selzshop/domains/selz.shop/public_html/wp-content/plugins/wp-letsencrypt-ssl/classes/le-core.php(136): WPLE_Core->wple_generate_order()
#7 /home/selzshop/domains/selz.shop/public_html/wp-content/plugins/wp-letsencrypt-ssl/classes/le-core.php(104): WPLE_Core->wple_generate_verify_ssl()
#8 /home/selzshop/domains/selz.shop/public_html/wp-content/plugins/wp-letsencrypt-ssl/admin/le_admin.php(435): WPLE_Core->__construct(Array)
#9 /home/selzshop/domains/selz.shop/public_html/wp-includes/class-wp-hook.php(287): WPLE_Admin->wple_save_email_generate_certs(’’)
#10 /home/selzshop/domains/selz.shop/public_html/wp-includes/class-wp-hook.php(311): WP_Hook->apply_filters(NULL, Array)
#11 /home/selzshop/domains/selz.shop/public_html/wp-includes/plugin.php(478): WP_Hook->do_action(Array)
#12 /home/selzshop/domains/selz.shop/public_html/wp-admin/admin.php(175): do_action(‘admin_init’)
#13 {main}

My web server is (include version): SSD Based Cloud Web Hosting

The operating system my web server runs on is (include version): Cloud Linux

My hosting provider, if applicable, is: GoogieHost

I can login to a root shell on my machine (yes or no, or I don’t know): I don’t know

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): This is the control panel I’ve used in googiehost https://cloud.googiehost.com:2222/user/ssl/paste

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):I don’t know that

You’ve issued five certificates on August 13th and 15th. Please use one of those if you require a Let’s Encrypt certificate. However, you also got numerous other certificates issued recently through ZeroSSL and some other CA, so you could also use those two.

@Osiris
I’m always learning new things from you. Never knew about the deduplicate parameter for crt.sh. I usually use q, but I noticed you used Identity. Do you know why Let’s Encrypt always generates 2 certificates. I did notice the poison in the first one generated. Is that one a precert?

@freessltools.com Let's Encrypt doesn't generate 2, one is the pre-certificate and one is the actual issued leaf certificate

Those are actually two certificates The pre-cert and definitive cert are both signed on their own.

Pre-certs indeed. Let's Encrypt opted to use embedded SCTs in their certificates in contrast to SCTs transmitted through OCSP or within the TLS handshake from the webserver.

Well, yes, but I wouldn’t describe the pre-certificate as an actual certificate since it has the poison extension set and only exists for transparency reasons to get the SCT for the “real” certificate.

Technically you are correct though.

I’m used to explaining it to people who don’t have any clue what critical extensions are

Personally, any X.509 certificate is a certificate. Self signed, poisoned or actually useful, personally I don’t care when using the term “certificate”

Even more because signing the pre-cert also costs load on the Let’s Encrypt infrastructure, notably the HSMs.

That's what I was thinking based on the poison extension from the article I was reading from

That's what I was thinking based on reading through some of this article by @jsha:

I'm relatively new to the networking/security world. I only recently dove into this area when I decided to code my own acme client in light of the selling-out of zerossl and sslforfree. My encryption background is actually related to biometrics. I did work many years ago as a test and measurement engineer specializing in testing spec implementation for fibre telecom. Reading through the IETF specs brings back memories of reading through testing specs.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.