Help too many certificates already issued

Due to my mistake, I requested the certificate too many times, now I have this error: Failed to create order: Error creating new order :: too many certificates already issued for exact set of domains:

I have read the regulation but I did not understand how long I have to wait before regenerating the certificate. Can anyone help me ?

2 Likes

Do you still have any of those certs?
Otherwise, it may be one week since the fifth cert was issued.

[&2* readers: Get involved; Be heard. It starts with: if you read something you like, then like it :heart:]

2 Likes

Unfortunately no, I always had to recreate the vm

2 Likes

Oh, then you may have to wait...
Until there are less than five that have been issued in the past week.

[&2* readers: Get involved; Be heard. It starts with: if you read something you like, then like it :heart:]

2 Likes

Do you know how long I have to wait that I have not understood correctly?

2 Likes

You created five certs today (with the exact same set of names).
You can only have five such certs issued in a week (7 day period).
You will have to wait one week for that threshold to clear.
OR
You can issue a cert that is NOT for the exact same set of names (in this case the single name).

[&2* readers: Get involved; Be heard. It starts with: if you read something you like, then like it :heart:]

3 Likes

That's not a very considerate way of "consuming" certificates. It costs Let's Encrypt resources to generate a certificate. Heck, it costs Let's Encrypt considerable resources for the next 90 days, because of signed OCSP responses required for every issued certificate.

Just because Let's Encrypt certificates are free for you, it doesn't mean it doesn't cost something, in this case Let's Encrypt. Imagine if thousands other people are thinking like you (with 7 billion people on the world not an unlikely scenario): it would cost Let's Encrypt a lot of resources, just because you're recreating your VM without storing the certificates on a permanent location!

For testing there's the Staging Environment, please use that if you're not ready for production grade services.

4 Likes

I apologize for this mistake, I have been using it for years but it had never happened to me, every time I recreated the machine, I revoke the certificate and thought it was not a problem. However, among the many snapshots I found ubn .p7b valid until January. The problem is that I can not install it on skype4b, I believe because I am missing the primary key. What advice?

2 Likes

But yet, you have much to learn:

If the private key hasn't been compromised, there isn't really much use for revoking the certificate. More so, because the LE certs are valid for just 90 days. So even if an old backup for example would be somehow compromised, if it's older than 90 days, it wouldn't matter, as the cert(s) would have been invalid anyway.

A certificate should always be accompanied with a private key. If you don't have the private key corresponding to the public key inside the certificate, the certificate is useless.

If you don't have any private key in your posession any longer and you can't get a new certificate because of the rate limits, you'll just have to wait. And learn from this experience.

3 Likes

With a little patience I recovered the private key.

You can give me some advice because with this new certificate, erifying the installation of skype4b, microsoft writes me: The Microsoft Connectivity Analyzer can only validate the certificate chain using the Root Certificate Update functionality from Windows Update. Your certificate may not be trusted on Windows if the "Update Root Certificates" feature isn't enabled .:

Thanks Alessandro

2 Likes

Here is a cool tool that could help you get out of this mess:
https://whatsmychaincert.com/generate?include_leaf=1;host=YOUR.SITE.NAME

If not obvious, you will need to replace "YOUR.SITE.NAME" with your sites' name (FQDN).

[&2* readers: Get involved; Be heard. It starts with: if you read something you like, then like it :heart:]

2 Likes

We live and learn, my friend. :slightly_smiling_face: We'll always do our best to help you out how we can, Alessandro.

  • Revocation of a certificate only prevents the certificate from being trusted when the certificate is checked via the certificate authority (Let's Encrypt).
  • Revocation of a certificate does not prevent its private key from working.
  • A certificate should only be revoked to prevent untrusted entities from utilizing the certificate for false representation, which would require possession of its private key.
  • A private key should be purged when its certificate is no longer needed, regardless of whether or not its certificate has been revoked.
2 Likes

Hi griffi and rg305

With the new certificate I have problems and I can not understand if it is the fault of the new certificate or something on skype4B servers. Can you tell me if it's normal for you to report me microsoft on their Test site

2 Likes

Not enough is shown to know for certain.
It seems that your Windows doesn't like the cert.

Have you done all the "Windows Updates" ?
Also, sometimes, MS is picky about which names are on the SAN and which name is in the CN.
You would have to ask MS if they has any such specific requirements on the cert they use for S4B.

READERS: Get involved. Be heard. Do your part, it starts with: If you read something you like; then like it :heart: !

2 Likes

Hi @GhezziA

checking your port - https://check-your-website.server-daten.de/?q=sip.eservizi.it%3A5061 - your installed certificate is revoked.

Revoked: The certificate is revoked.

And it sends the intermediate certificate that uses the

CN=ISRG Root X1, O=Internet Security Research Group, C=US
	04.06.2015
	04.06.2035
expires in 5336 days

That's good. But it's unknown if the error message happens because your certificate is revoked (so the error message may be not so good).

So: Hitting the limit -> wait, then create one new certificate, then install it.

And check, if the ISRG root is installed.

PS: The warning isn't so really relevant. It's more a client warning. If an older Windows client tries to connect your server, that may fail.

But your server doesn't send the root certificate (that's good), so it's not really a server problem.

It's a warning, not an error.

3 Likes

Hi All

There is a way to check if a certificate has been revoked, because if you install the certificate in the windows store, they are always valid . Is there a way to verify?

Thanks Alessandro

2 Likes
2 Likes

3 posts were split to a new topic: Download certificate without private key