Help with cert renew ("too many certificates already issued for exact set of domains")

My domain is: rzm.com.ua (full server name: cloud.rzm.com.ua )

I ran this command: certbot-auto renew

It produced this output:

"Attempting to renew cert (cloud.rzm.com.ua) from /etc/letsencrypt/renewal/cloud.rzm.com.ua.conf produced an unexpected error: urn:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new cert :: too many certificates already issued for exact set of domains: cloud.rzm.com.ua: see https://letsencrypt.org/docs/rate-limits/. Skipping."

and

"All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/cloud.rzm.com.ua/fullchain.pem (failure)"

My web server is (include version): nginx/1.10.3 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 16.04.9

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no.

Hello, guys!

First of all, I would like to say thank you for such amazing idea as free certificates and LetsEncrypt.
Second, i would like to ask you, about help.

I obtained certificate for my web server (cloud.rzm.com.ua), 2018-02-04.
Yesterday, I tried to renew my certificate.

  1. I had run command: certbot-auto renew --dry-run
    And received error: > "Failed authorization procedure. cloud.rzm.com.ua (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://cloud.rzm.com.ua/.well-known/acme-challenge/_eBB9eq-2tE_Kkb4MOY7Rw-qEujj2O21rfn9M_e_KIg: "
403 Forbidden".

I solved it, by add a "location /.well-known/acme-challenge" to nginx config in http (80) section (it was in secure section 443 before it).

  1. Aftre renew --dry-run passed ok, I run "certbot-auto renew", and received second error.

"Attempting to renew cert (cloud.rzm.com.ua) from /etc/letsencrypt/renewal/cloud.rzm.com.ua.conf produced an unexpected error: [Errno 2] No such file or directory: '/etc/letsencrypt/archive/cloud.rzm.com.ua/privkey2.pem'. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/cloud.rzm.com.ua/fullchain.pem (failure)"

I run "apt-get update" and after this, run "apt-get upgrade". After I rebooted my server, this error disappeared.

  1. And now, when I try to renew my certificate ("certbot-auto renew"), I receive an error:

"Attempting to renew cert (cloud.rzm.com.ua) from /etc/letsencrypt/renewal/cloud.rzm.com.ua.conf produced an unexped :: There were too many requests of a given type :: Error creating new cert :: too many certificates already is rzm.com.ua: see https://letsencrypt.org/docs/rate-limits/. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/cloud.rzm.com.ua/fullchain.pem (failure)"

I checked https://crt.sh/?q=%25.rzm.com.ua
And there were only 2 certs issued 2018-02-04.
But 1 day ago, added third cert issued 2018-04-16. But this certificate doesn't imported to my server.
And today I see another 5 certs issued for my domain 2018-04-16. But they doesn't saved on my server. Any of them.

Please, tell me what I can to do, to renew my certificate? How can I download issued certs, or how can I issue new one? (And what I should to check at my server, to be sure that new certificate will be saved next time?)

I'm sorry for a such long post. And, thank you for your time.

If you need more logs or verbose "certbot-auto renew", please tell me.

Thank you!

Right now, nothing. You have blown through the weekly rate limit for exact duplicate certificates.

The one workaround you have is to add another name (such as a subdomain) to the same certificate (like -d dummy.cloud.rzm.com.ua), which will evade the rate limit.

However, the real problem you need to fix is:

Based on that, it looks like you tried to manually change something in /etc/letsencrypt and broke the directory structure.

At this point it's hard to know how it's broken. If it was me I would just blow away /etc/letsencrypt entirely and start again (after backing it up). However I don't know whether you have any other important files or other certificates in there, so it is not foolproof advice.

2 Likes

Dear _az, thank you very much for your answer!

As far, as I can understand from logs, letsencrypt updated couple of times. From version 0.21.1 to 0.22.0. And then, 0.22.0 to 0.22.2. And the last one: 0.22.2 to 0.23.0. May be, somewhere there its brooked.

From your answer, I understand, that I have 3 variants.

  1. Wait time limit expiration, and than retry renew cert one more time (my cert expire 2018-05-05, but I’m still in question, will it updated on my server correctly… :roll_eyes: )
  2. Try to add some subdomain to existing cert. And reset rate limit in such way.
  3. Reinstall letsencrypt. And try one more time to renew cert (by way 1 or 2).

Could you please tell me, how exactly reinstall letsencrypt.
I saw couple of folders in /etc/letsencrypt/.
Should I backup:

  1. /etc/letsencrypt/keys - ?
  2. /etc/letsencrypt/csr - ?

As I understand, all another subdirs in /etc/letsencrypt/* I have to backup.

After this, I should run: sudo apt-get remove letsencrypt

And after that, install it one more time, and restore backuped certificate.

If I’m mistaken somewhere, please, correct me, if it’s possible.

One more time, thank you!

You can just backup and remove the entirety of /etc/letsencrypt.

Re-installing letsencrypt via apt is not necessary. /etc/letsencrypt will be automatically recreated next time you issue a certificate.

You only have one option: to repair /etc/letsencrypt. Just waiting out the rate limit isn't going to help you, because you would still get the error related to your broken /etc/letsencrypt tree.

If this is the case, then it is a severe bug with Certbot. If you can figure out how to reproduce it, it would be great if you could report on how to do it.

1 Like

Hello, _az.

Thank you one more time, for your answers!

I wait one week until date of last certs issue doesn’t pass.
After that, I moved old folder /etc/letsencrypt to my homefolder/_BKPs/, by our advise! And run new certs request by run ā€œcertbot-auto certonly -a webroot --email MY_MAIL@rzm.com.ua --webroot-path=/usr/share/nginx/html -d cloud.rzm.com.uaā€.

And every thing run just perfect!

So, thank you, for your help! :slight_smile:

PS. Unfortunately, I’m not strong enough in software debugging. That’s why I didn’t send any logs to support.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.