Help! Vanilla install and now getting expired certificate!

My domain is: ljay.org.uk,www.ljay.org.uk

I ran this command: standard cron certbot command

It produced this output: acme.messages.Error: urn:ietf:params:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new order :: too many certificates already issued for exact set of domains: ljay.
org.uk,www.ljay.org.uk: see https://letsencrypt.org/docs/rate-limits/

My web server is (include version): Apache 2.4.25-3+deb9u

The operating system my web server runs on is (include version): 4.9.0-8-686-pae #1 SMP Debian 4.9.144-3 (2019-02-02) i686 GNU/Linux

My hosting provider, if applicable, is: n/a

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.28.0

Thanks

Hi @elljay

you have created a lot of certificates.

My own tool removes the duplicates, but currently the newest certificates are missing ( https://check-your-website.server-daten.de/?q=ljay.org.uk ):

CRT-Id	Issuer	not before	not after	Domain names	LE-Duplicate	next LE
1388864746
	CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US
	2019-04-15 20:57:16
	2019-07-14 20:57:16
	ljay.org.uk, www.ljay.org.uk
2 entries
	
	
1388598468
	CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US
	2019-04-15 18:23:24
	2019-07-14 18:23:24
	ljay.org.uk, www.ljay.org.uk
2 entries
	
	
1376891126
	CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US
	2019-04-10 16:50:52
	2019-07-09 16:50:52
	ljay.org.uk, www.ljay.org.uk
2 entries
	
	
1375901757
	CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US
	2019-04-10 06:54:19
	2019-07-09 06:54:19
	ljay.org.uk, www.ljay.org.uk
2 entries
	
	
1374213162
	CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US
	2019-04-09 14:37:34
	2019-07-08 14:37:34
	ljay.org.uk, www.ljay.org.uk
2 entries
	
	
1372185624
	CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US
	2019-04-08 20:06:13
	2019-07-07 20:06:13
	ljay.org.uk, www.ljay.org.uk
2 entries
	
	
1370684224
	CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US
	2019-04-08 04:33:24
	2019-07-07 04:33:24
	ljay.org.uk, www.ljay.org.uk
2 entries
	
	
1358509388
	CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US
	2019-04-03 02:30:24
	2019-07-02 02:30:24
	ljay.org.uk, www.ljay.org.uk
2 entries
	
	
1357639046
	CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US
	2019-04-02 13:33:28
	2019-07-01 13:33:28
	ljay.org.uk, www.ljay.org.uk
2 entries
	
	
1357038901
	CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US
	2019-04-02 04:36:59
	2019-07-01 04:36:59
	ljay.org.uk, www.ljay.org.uk
2 entries
	
	
1356437627
	CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US
	2019-04-01 19:30:49
	2019-06-30 19:30:49
	ljay.org.uk, www.ljay.org.uk
2 entries
	
	
1354913370
	CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US
	2019-03-31 23:06:47
	2019-06-29 23:06:47
	ljay.org.uk, www.ljay.org.uk
2 entries
	
	
1345516584
	CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US
	2019-03-26 18:42:34
	2019-06-24 17:42:34
	ljay.org.uk, www.ljay.org.uk
2 entries
	
	
1344670310
	CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US
	2019-03-26 08:18:01
	2019-06-24 07:18:01
	ljay.org.uk, www.ljay.org.uk
2 entries
	
	
1343923338
	CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US
	2019-03-25 20:08:22
	2019-06-23 19:08:22
	ljay.org.uk, www.ljay.org.uk
2 entries
	
	
1342588435
	CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US
	2019-03-25 07:05:37
	2019-06-23 06:05:37
	ljay.org.uk, www.ljay.org.uk
2 entries
	
	
1341477915
	CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US
	2019-03-24 20:24:06
	2019-06-22 19:24:06
	ljay.org.uk, www.ljay.org.uk
2 entries
	
	
1138315174
	CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US
	2019-01-23 18:00:17
	2019-04-23 17:00:17
	ljay.org.uk, www.ljay.org.uk
2 entries
	
	
973378787
	CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US
	2018-11-24 17:37:05
	2019-02-22 17:37:05
	ljay.org.uk, www.ljay.org.uk
2 entries
	
	
823231223
	CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US
	2018-09-25 00:28:54
	2018-12-24 01:28:54
	ljay.org.uk, www.ljay.org.uk
2 entries
	
	
656858451
	CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US
	2018-07-24 10:21:56
	2018-10-22 10:21:56
	ljay.org.uk, www.ljay.org.uk
2 entries

You see: That startet 2019-03-24, then 5 new certificate, that hit's the limit.

The next block startet 2019-03-31, then 2019-04-08 and 2019-04-15.

So you have a lot of certificates. Where are these?

What says

certbot certificates

Hi @JuergenAuer - thanks for the quick reply.

I thought I’d done a standard install and was running the standard cron job that comes with the package so I’m surprised to see so many!

certbot certificates says:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: ljay.org.uk
    Domains: ljay.org.uk www.ljay.org.uk
    Expiry Date: 2019-04-23 19:00:17+00:00 (INVALID: EXPIRED)
    Certificate Path: /etc/letsencrypt/live/ljay.org.uk/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/ljay.org.uk/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

This is the “certbot” file that the Debian installer puts in /etc/cron.d - looks like it runs twice a day:

# /etc/cron.d/certbot: crontab entries for the certbot package
#
# Upstream recommends attempting renewal twice a day
#
# Eventually, this will be an opportunity to validate certificates
# haven't been revoked, etc.  Renewal will only occur if expiration
# is within 30 days.
#
# Important Note!  This cronjob will NOT be executed if you are
# running systemd as your init system.  If you are running systemd,
# the cronjob.timer function takes precedence over this cronjob.  For
# more details, see the systemd.timer manpage, or use systemctl show
# certbot.timer.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew

Is there only this one expired certificate?

Is there a second certbot?

Or another Letsencrypt client?

You must have these certificates somewhere.

Looks like the certificate creation has worked - but not the installation.

Is there only this one expired certificate? That’s all it reports, yes

Is there a second certbot? Not that I’m aware of

Or another Letsencrypt client? Not that I’m aware of! :o

Looking through the log file where it first tried to renew and pulling out the relevant lines:

2019-03-24 22:23:14,417:DEBUG:certbot.main:certbot version: 0.28.0

2019-03-24 22:23:14,447:DEBUG:certbot.storage:Should renew, less than 30 days before certificate expiry 2019-04-23 19:00:17 UTC.
2019-03-24 22:23:14,447:INFO:certbot.renewal:Cert is due for renewal, auto-renewing…
2019-03-24 22:23:14,447:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer apache
2019-03-24 22:23:14,579:DEBUG:certbot_apache.configurator:Apache version is 2.4.25
2019-03-24 22:23:15,143:DEBUG:certbot.plugins.selection:Single candidate plugin: * apache

2019-03-24 22:24:06,038:WARNING:certbot.renewal:Attempting to renew cert (ljay.org.uk) from /etc/letsencrypt/renewal/ljay.org.uk.conf produced an unexpected error: HTTPSConnectionPool(host=‘acme-v02.api.letsencrypt.org’, port=443): Read timed out. (read timeout=45). Skipping.

2019-03-24 22:24:06,056:ERROR:certbot.renewal:All renewal attempts failed. The following certs could not be renewed:
2019-03-24 22:24:06,056:ERROR:certbot.renewal: /etc/letsencrypt/live/ljay.org.uk/fullchain.pem (failure)

…so it looks like it timed out waiting for the new certificate?

No. The Certificate Transparency log entries are created if the certificate is created. That what you see is only the start.

But it's possible: If the connection is extremly bad, then certbot tries to download the certificate - and can't finish this action.

Check the log to see if there is such a message.

Ah, ok. Sorry, I’m not sure what message I’m looking for? I tried to post the log section but it was too long with too many links! Please could you give some more detail of what to look for or advise how to get the full log to you. Thanks

I could post the log as a file on my server if that helps?

Have posted the log file here: http://ljay.org.uk/letsencrypt.log.4.txt

Search words like "unexpected", "error" etc.

Or look, if there is a Congratulation message.

Congratulations, all renewals succeeded. The following certs have been renewed:

Congratulations! Your certificate and chain have been saved at

“unexpected” gives:

2019-03-24 22:24:06,038:WARNING:certbot.renewal:Attempting to renew cert (ljay.org.uk) from /etc/letsencrypt/renewal/ljay.org.uk.conf produced an unexpected error: HTTPSConnectionPool(host=‘acme-v02.api.letsencrypt.org’, port=443): Read timed out. (read timeout=45). Skipping.
2019-03-25 09:05:36,042:WARNING:certbot.renewal:Attempting to renew cert (ljay.org.uk) from /etc/letsencrypt/renewal/ljay.org.uk.conf produced an unexpected error: HTTPSConnectionPool(host=‘acme-v02.api.letsencrypt.org’, port=443): Read timed out. (read timeout=45). Skipping.
2019-03-25 22:08:20,795:WARNING:certbot.renewal:Attempting to renew cert (ljay.org.uk) from /etc/letsencrypt/renewal/ljay.org.uk.conf produced an unexpected error: HTTPSConnectionPool(host=‘acme-v02.api.letsencrypt.org’, port=443): Read timed out. (read timeout=45). Skipping.
2019-03-26 10:18:00,488:WARNING:certbot.renewal:Attempting to renew cert (ljay.org.uk) from /etc/letsencrypt/renewal/ljay.org.uk.conf produced an unexpected error: HTTPSConnectionPool(host=‘acme-v02.api.letsencrypt.org’, port=443): Read timed out. (read timeout=45). Skipping.
2019-03-26 20:42:33,611:WARNING:certbot.renewal:Attempting to renew cert (ljay.org.uk) from /etc/letsencrypt/renewal/ljay.org.uk.conf produced an unexpected error: HTTPSConnectionPool(host=‘acme-v02.api.letsencrypt.org’, port=443): Read timed out. (read timeout=45). Skipping.
2019-03-27 02:57:03,637:WARNING:certbot.renewal:Attempting to renew cert (ljay.org.uk) from /etc/letsencrypt/renewal/ljay.org.uk.conf produced an unexpected error: urn:ietf:params:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new order :: too many certificates already issued for exact set of domains: ljay.org.uk,www.ljay.org.uk: see https://letsencrypt.org/docs/rate-limits/. Skipping.
2019-03-27 12:31:16,153:WARNING:certbot.renewal:Attempting to renew cert (ljay.org.uk) from /etc/letsencrypt/renewal/ljay.org.uk.conf produced an unexpected error: urn:ietf:params:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new order :: too many certificates already issued for exact set of domains: ljay.org.uk,www.ljay.org.uk: see https://letsencrypt.org/docs/rate-limits/. Skipping.

“error” starts with:

019-03-24 22:23:20,990:DEBUG:certbot.error_handler:Calling registered functions
2019-03-24 22:24:06,038:WARNING:certbot.renewal:Attempting to renew cert (ljay.org.uk) from /etc/letsencrypt/renewal/ljay.org.uk.conf produced an unexpected error: HTTPSConnectionPool(host=‘acme-v02.api.letsencrypt.org’, port=443): Read timed out. (read timeout=45). Skipping.
raise six.reraise(type(error), error, _stacktrace)
certbot.errors.Error: 1 renew failure(s), 0 parse failure(s)
2019-03-25 09:04:51,007:DEBUG:certbot.error_handler:Calling registered functions
2019-03-25 09:05:36,042:WARNING:certbot.renewal:Attempting to renew cert (ljay.org.uk) from /etc/letsencrypt/renewal/ljay.org.uk.conf produced an unexpected error: HTTPSConnectionPool(host=‘acme-v02.api.letsencrypt.org’, port=443): Read timed out. (read timeout=45). Skipping.
raise six.reraise(type(error), error, _stacktrace)
certbot.errors.Error: 1 renew failure(s), 0 parse failure(s)

I’ve put the full file here: http://ljay.org.uk/letsencrypt.log.4.txt

That's

2019-03-24 22:24:06,038:WARNING:certbot.renewal:Attempting to renew cert (ljay.org.uk) from /etc/letsencrypt/renewal/ljay.org.uk.conf produced an unexpected error: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Read timed out. (read timeout=45). Skipping.

really bad. Letsencrypt has confirmed the challenges

{
  "identifier": {
    "type": "dns",
    "value": "www.ljay.org.uk"
  },
  "status": "valid",
  "expires": "2019-04-23T22:23:18Z",
  "challenges": [

then certbot creates a CSR, sends it to the finalize - address. Then Letsencrypt creates the certificate - but Certbot has a timeout.

2019-03-25 09:05:36

the same thing.

Do you use a hard coded ip address in your hosts file?

Check the last log to find an order url.

Something like

https://acme-v02.api.letsencrypt.org/acme/order/38909655/379753212

search

https://acme-v02.api.letsencrypt.org/acme/order/38909655/

Open these urls in your browser. Perhaps one is valid and has a certificate url.

Then you must find the private key of that certificate (look at the file creation time). There is a directory with the private keys.

Nothing hard coded, just the normal 127.0.0.1 and ::1 definitions

Ok- found one that is valid and has an expiry date of the 30th April

I've downloaded the certificate.

I've found the pem file that matches the timestamp in /etc/letsencrypt/keys

I guess I need to work out where Apache looks for those files... Almost there! :o

Aha - symbolic links in /etc/letsencrypt/live/ljay.org.uk

The privkey file is about the same size so that looks ok.

The cert file looks too big.

Ah - it looks like it’s the fullchain file…

Yeay! Certificate now valid until 22nd July! Thanks for your help @JuergenAuer !

I’ve disabled the cron job for now.

Any suggestions how to debug the certificate timeout issues? (It downloaded fine from the the same server just now!)

Any suggestions why the cron job didn’t email root when it encountered errors? If it had done that on 24th March we would have had a month before the certificate expired to sort the problem

Can you post the output of this?

ls -l /etc/letsencrypt/{live,archive}

Hi @schoen, sure:

root@sam:~# ls -l /etc/letsencrypt/{live,archive}
/etc/letsencrypt/archive:
total 4
drwxr-xr-x 2 root root 4096 Apr 23 23:04 ljay.org.uk

/etc/letsencrypt/live:
total 4
drwxr-xr-x 2 root root 4096 Apr 23 23:06 ljay.org.uk

Oh sorry, I should have said

ls -l /etc/letsencrypt/{live,archive}/*

No prob...

root@sam:~# ls -l /etc/letsencrypt/{live,archive}/*
/etc/letsencrypt/archive/ljay.org.uk:
total 72
-rw-r--r-- 1 root root 2167 Jul 24 2018 cert1.pem
-rw-r--r-- 1 root root 2167 Sep 25 2018 cert2.pem
-rw-r--r-- 1 root root 1927 Nov 24 19:37 cert3.pem
-rw-r--r-- 1 root root 1923 Jan 23 20:00 cert4.pem
-rw-r--r-- 1 root root 1647 Jul 24 2018 chain1.pem
-rw-r--r-- 1 root root 1647 Sep 25 2018 chain2.pem
-rw-r--r-- 1 root root 1647 Nov 24 19:37 chain3.pem
-rw-r--r-- 1 root root 1647 Jan 23 20:00 chain4.pem
-rw-r--r-- 1 root root 3814 Jul 24 2018 fullchain1.pem
-rw-r--r-- 1 root root 3814 Sep 25 2018 fullchain2.pem
-rw-r--r-- 1 root root 3574 Nov 24 19:37 fullchain3.pem
-rw-r--r-- 1 root root 3570 Jan 23 20:00 fullchain4.pem
-rw-r--r-- 1 root root 3571 Apr 23 23:02 fullchain-fix.pem
-rw-r--r-- 1 root root 1704 Jul 24 2018 privkey1.pem
-rw-r--r-- 1 root root 1704 Sep 25 2018 privkey2.pem
-rw-r--r-- 1 root root 1704 Nov 24 19:37 privkey3.pem
-rw-r--r-- 1 root root 1704 Jan 23 20:00 privkey4.pem
-rw------- 1 root root 1704 Apr 23 23:04 privkey-fix-0070_key-certbot.pem

/etc/letsencrypt/live/ljay.org.uk:
total 4
lrwxrwxrwx 1 root root 35 Jan 23 20:00 cert.pem -> ../../archive/ljay.org.uk/cert4.pem
lrwxrwxrwx 1 root root 36 Jan 23 20:00 chain.pem -> ../../archive/ljay.org.uk/chain4.pem
lrwxrwxrwx 1 root root 43 Apr 23 23:05 fullchain.pem -> ../../archive/ljay.org.uk/fullchain-fix.pem
lrwxrwxrwx 1 root root 58 Apr 23 23:06 privkey.pem -> ../../archive/ljay.org.uk/privkey-fix-0070_key-certbot.pem
-rw-r--r-- 1 root root 682 Jul 24 2018 README