Help with cert renew ("too many certificates already issued for exact set of domains")

Help
1

My domain is: rzm.com.ua (full server name: cloud.rzm.com.ua )

I ran this command: certbot-auto renew

It produced this output:

"Attempting to renew cert (cloud.rzm.com.ua) from /etc/letsencrypt/renewal/cloud.rzm.com.ua.conf produced an unexpected error: urn:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new cert :: too many certificates already issued for exact set of domains: cloud.rzm.com.ua: see https://letsencrypt.org/docs/rate-limits/. Skipping."

and

"All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/cloud.rzm.com.ua/fullchain.pem (failure)"

My web server is (include version): nginx/1.10.3 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 16.04.9

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no.

Hello, guys!

First of all, I would like to say thank you for such amazing idea as free certificates and LetsEncrypt.
Second, i would like to ask you, about help.

I obtained certificate for my web server (cloud.rzm.com.ua), 2018-02-04.
Yesterday, I tried to renew my certificate.

  1. I had run command: certbot-auto renew --dry-run
    And received error: > "Failed authorization procedure. cloud.rzm.com.ua (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://cloud.rzm.com.ua/.well-known/acme-challenge/_eBB9eq-2tE_Kkb4MOY7Rw-qEujj2O21rfn9M_e_KIg: "
403 Forbidden".

I solved it, by add a "location /.well-known/acme-challenge" to nginx config in http (80) section (it was in secure section 443 before it).

  1. Aftre renew --dry-run passed ok, I run "certbot-auto renew", and received second error.

"Attempting to renew cert (cloud.rzm.com.ua) from /etc/letsencrypt/renewal/cloud.rzm.com.ua.conf produced an unexpected error: [Errno 2] No such file or directory: '/etc/letsencrypt/archive/cloud.rzm.com.ua/privkey2.pem'. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/cloud.rzm.com.ua/fullchain.pem (failure)"

I run "apt-get update" and after this, run "apt-get upgrade". After I rebooted my server, this error disappeared.

  1. And now, when I try to renew my certificate ("certbot-auto renew"), I receive an error:

"Attempting to renew cert (cloud.rzm.com.ua) from /etc/letsencrypt/renewal/cloud.rzm.com.ua.conf produced an unexped :: There were too many requests of a given type :: Error creating new cert :: too many certificates already is rzm.com.ua: see https://letsencrypt.org/docs/rate-limits/. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/cloud.rzm.com.ua/fullchain.pem (failure)"

I checked https://crt.sh/?q=%25.rzm.com.ua
And there were only 2 certs issued 2018-02-04.
But 1 day ago, added third cert issued 2018-04-16. But this certificate doesn't imported to my server.
And today I see another 5 certs issued for my domain 2018-04-16. But they doesn't saved on my server. Any of them.

Please, tell me what I can to do, to renew my certificate? How can I download issued certs, or how can I issue new one? (And what I should to check at my server, to be sure that new certificate will be saved next time?)

I'm sorry for a such long post. And, thank you for your time.

If you need more logs or verbose "certbot-auto renew", please tell me.

Thank you!

2

Right now, nothing. You have blown through the weekly rate limit for exact duplicate certificates.

The one workaround you have is to add another name (such as a subdomain) to the same certificate (like -d dummy.cloud.rzm.com.ua), which will evade the rate limit.

However, the real problem you need to fix is:

Based on that, it looks like you tried to manually change something in /etc/letsencrypt and broke the directory structure.

At this point it's hard to know how it's broken. If it was me I would just blow away /etc/letsencrypt entirely and start again (after backing it up). However I don't know whether you have any other important files or other certificates in there, so it is not foolproof advice.

2 Likes
3

Dear _az, thank you very much for your answer!

As far, as I can understand from logs, letsencrypt updated couple of times. From version 0.21.1 to 0.22.0. And then, 0.22.0 to 0.22.2. And the last one: 0.22.2 to 0.23.0. May be, somewhere there its brooked.

From your answer, I understand, that I have 3 variants.

  1. Wait time limit expiration, and than retry renew cert one more time (my cert expire 2018-05-05, but Iā€™m still in question, will it updated on my server correctlyā€¦ :roll_eyes: )
  2. Try to add some subdomain to existing cert. And reset rate limit in such way.
  3. Reinstall letsencrypt. And try one more time to renew cert (by way 1 or 2).

Could you please tell me, how exactly reinstall letsencrypt.
I saw couple of folders in /etc/letsencrypt/.
Should I backup:

  1. /etc/letsencrypt/keys - ?
  2. /etc/letsencrypt/csr - ?

As I understand, all another subdirs in /etc/letsencrypt/* I have to backup.

After this, I should run: sudo apt-get remove letsencrypt

And after that, install it one more time, and restore backuped certificate.

If Iā€™m mistaken somewhere, please, correct me, if itā€™s possible.

One more time, thank you!

4

You can just backup and remove the entirety of /etc/letsencrypt.

Re-installing letsencrypt via apt is not necessary. /etc/letsencrypt will be automatically recreated next time you issue a certificate.

You only have one option: to repair /etc/letsencrypt. Just waiting out the rate limit isn't going to help you, because you would still get the error related to your broken /etc/letsencrypt tree.

If this is the case, then it is a severe bug with Certbot. If you can figure out how to reproduce it, it would be great if you could report on how to do it.

1 Like
5

Hello, _az.

Thank you one more time, for your answers!

I wait one week until date of last certs issue doesnā€™t pass.
After that, I moved old folder /etc/letsencrypt to my homefolder/_BKPs/, by our advise! And run new certs request by run ā€œcertbot-auto certonly -a webroot --email MY_MAIL@rzm.com.ua --webroot-path=/usr/share/nginx/html -d cloud.rzm.com.uaā€.

And every thing run just perfect!

So, thank you, for your help! :slight_smile:

PS. Unfortunately, Iā€™m not strong enough in software debugging. Thatā€™s why I didnā€™t send any logs to support.

6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.