Help understanding a duplicate certificate rate limit error

My domain is:

I ran this command:
Requested a certificate via cert-manager.

It produced this output:

Error creating new order :: too many certificates already issued for exact set of domains: *.internal.granitemedia.com

I ran into this error while adjusting our certificate and I would like help understanding why I encountered this error.

The output here:
https://tools.letsdebug.net/cert-search?m=domain&q=internal.granitemedia.com&d=744

does not seem like it should produce an error based on my understanding of this document:

The request at 18 Sep 2020 22:48:04 UTC was the first request that week (or ever) for exactly the domain *.internal.granitemedia.com. If the rate limit for duplicate domains includes other certs which only mention this domain, there is still only one other certificate issued prior to that which includes *.internal.granitemedia.com.

I am fine to wait until the rate limit elapses to get the new cert issued, I just want help understanding why I hit this error so I can avoid it in the future.

Thank you!

2 Likes

Shows five certificates were issued three days ago for: *.internal.granitemedia.com
Serial Numbers:
03:4c:7a:2b:73:2b:da:9f:ce:b3:ad:b6:2c:0d:dd:d7:b2:88
03:7c:42:a6:47:73:db:09:2f:f9:5a:1c:92:98:8b:36:55:ab
03:23:51:ab:b9:1a:65:78:11:0a:50:50:1d:89:a6:55:9a:e1
03:e9:17:dc:ab:68:e9:ca:71:a3:d9:1b:28:e6:8a:cb:a9:91
03:68:1f:c3:e2:f3:37:c9:ac:7b:01:5a:b4:16:5f:08:90:6b

And on that same day...

One certificate was issued for: *.granitemedia.com & *.internal.granitemedia.com
Serial Number: 04:78:e3:96:a7:ee:c7:f8:6e:88:1a:3a:63:a2:20:0c:e5:dc

One certificate was issued for: granitemedia.com & *.granitemedia.com & *.internal.granitemedia.com
Serial Number: 04:de:02:2b:3f:98:51:5c:89:a8:1a:83:d7:68:56:88:5c:91

2 Likes

Perhaps there was some delay in propogation with crt.sh because as @rg305 already pointed out there are actually 5 identical certificates issued. This is also portrayed by letsdebug:

Duplicate Certificates
*.internal.granitemedia.com 5 of 5 weekly certificates.
The next time this certificate can be issued is 25 Sep 2020 22:48:04 UTC

And in the second column in the second table it says: "5/5 Duplicate Certificates this week"

Couldn't be more clear? At least at this moment.. Perhaps you saw another preliminary report?

In any case:

It seems you didn't adjust anything?

Also, when testing this should be done on the staging environment.

3 Likes

Thank you both. I had seen the error messages on my certificate requests on letsdebug.net and I falsely interpreted that those were failed requests, but in fact those were successful requests, and my observed rate limiting errors were the result of subsequent requests. Once that clicked, everything else suddenly made sense.

It looks like a bad setting in our cert-manager configuration triggered a renewal loop, which resulted in this behavior. Point taken about the staging environment. That would have saved us some grief and we will be better utilizing it in the future.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.