Help with Rate Limits with Discourse Installation

My domain is:
forums.penttbomb.com

I ran this command:
sudo ./launcher logs app

It produced this output:
A series of errors indicating that Nginx is unable to load an ECC certificate, such as:

x86_64 arch detected.
run-parts: executing /etc/runit/1.d/00-ensure-links
run-parts: executing /etc/runit/1.d/00-fix-var-logs
run-parts: executing /etc/runit/1.d/01-cleanup-web-pids
run-parts: executing /etc/runit/1.d/anacron
run-parts: executing /etc/runit/1.d/cleanup-pids
Cleaning stale PID files
run-parts: executing /etc/runit/1.d/copy-env
run-parts: executing /etc/runit/1.d/letsencrypt
[Wed Apr  2 11:11:20 PM UTC 2025] Domains not changed.
[Wed Apr  2 11:11:20 PM UTC 2025] Skip, Next renewal time is: 2025-05-31T22:45:14Z
[Wed Apr  2 11:11:20 PM UTC 2025] Add '--force' to force to renew.
[Wed Apr  2 11:11:20 PM UTC 2025] Installing key to: /shared/ssl/forums.penttbomb.com.key
[Wed Apr  2 11:11:20 PM UTC 2025] Installing full chain to: /shared/ssl/forums.penttbomb.com.cer
[Wed Apr  2 11:11:20 PM UTC 2025] Run reload cmd: sv reload nginx
warning: nginx: unable to open supervise/ok: file does not exist
[Wed Apr  2 11:11:20 PM UTC 2025] Reload error for :
[Wed Apr  2 11:11:21 PM UTC 2025] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Wed Apr  2 11:11:21 PM UTC 2025] Single domain='forums.penttbomb.com'
[Wed Apr  2 11:11:21 PM UTC 2025] Getting domain auth token for each domain
[Wed Apr  2 11:11:21 PM UTC 2025] Create new order error. Le_OrderFinalize not found. {
  "type": "urn:ietf:params:acme:error:rateLimited",
  "detail": "too many certificates (5) already issued for this exact set of domains in the last 168h0m0s, retry after 2025-04-04 02:21:19 UTC: see https://letsencrypt.org/docs/rate-limits/#new-certificates-per-exact-set-of-hostnames",
  "status": 429
}
[Wed Apr  2 11:11:21 PM UTC 2025] Please check log file for more details: /shared/letsencrypt/acme.sh.log
Could not open file or uri for loading certificate from ca.cer
4097C1C5DA770000:error:16000069:STORE routines:ossl_store_get0_loader_int:unregistered scheme:../crypto/store/store_register.c:237:scheme=file
4097C1C5DA770000:error:80000002:system library:file_open:No such file or directory:../providers/implementations/storemgmt/file_store.c:267:calling stat(ca.cer)
Unable to load certificate
Error loading file /dev/fd/63
40871A5A507C0000:error:05800088:x509 certificate routines:X509_load_cert_crl_file_ex:no certificate or crl found:../crypto/x509/by_file.c:251:
[Wed Apr  2 11:11:22 PM UTC 2025] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Wed Apr  2 11:11:22 PM UTC 2025] Single domain='forums.penttbomb.com'
[Wed Apr  2 11:11:22 PM UTC 2025] Getting domain auth token for each domain
[Wed Apr  2 11:11:22 PM UTC 2025] Create new order error. Le_OrderFinalize not found. {
  "type": "urn:ietf:params:acme:error:rateLimited",
  "detail": "too many certificates (5) already issued for this exact set of domains in the last 168h0m0s, retry after 2025-04-04 02:29:35 UTC: see https://letsencrypt.org/docs/rate-limits/#new-certificates-per-exact-set-of-hostnames",
  "status": 429
}
[Wed Apr  2 11:11:23 PM UTC 2025] Please check log file for more details: /shared/letsencrypt/acme.sh.log
[Wed Apr  2 11:11:23 PM UTC 2025] Installing key to: /shared/ssl/forums.penttbomb.com_ecc.key
[Wed Apr  2 11:11:23 PM UTC 2025] Installing full chain to: /shared/ssl/forums.penttbomb.com_ecc.cer
cat: /shared/letsencrypt/forums.penttbomb.com_ecc/fullchain.cer: No such file or directory
Started runsvdir, PID is 1590
warning: redis: unable to open supervise/ok: file does not exist
nginx: [warn] duplicate extension "wasm", content type: "application/wasm", previous content type: "application/wasm" in /etc/nginx/conf.d/discourse.conf:4
nginx: [emerg] cannot load certificate "/shared/ssl/forums.penttbomb.com_ecc.cer": PEM_read_bio_X509_AUX() failed (SSL: error:0480006C:PEM routines::no start line:Expecting: TRUSTED CERTIFICATE)
ok: run: redis: (pid 1610) 1s
ok: run: postgres: (pid 1606) 1s
nginx: [warn] duplicate extension "wasm", content type: "application/wasm", previous content type: "application/wasm" in /etc/nginx/conf.d/discourse.conf:4
nginx: [emerg] cannot load certificate "/shared/ssl/forums.penttbomb.com_ecc.cer": PEM_read_bio_X509_AUX() failed (SSL: error:0480006C:PEM routines::no start line:Expecting: TRUSTED CERTIFICATE)
supervisor pid: 1623 unicorn pid: 1629
nginx: [warn] duplicate extension "wasm", content type: "application/wasm", previous content type: "application/wasm" in /etc/nginx/conf.d/discourse.conf:4
nginx: [emerg] cannot load certificate "/shared/ssl/forums.penttbomb.com_ecc.cer": PEM_read_bio_X509_AUX() failed (SSL: error:0480006C:PEM routines::no start line:Expecting: TRUSTED CERTIFICATE)
nginx: [warn] duplicate extension "wasm", content type: "application/wasm", previous content type: "application/wasm" in /etc/nginx/conf.d/discourse.conf:4
nginx: [emerg] cannot load certificate "/shared/ssl/forums.penttbomb.com_ecc.cer": PEM_read_bio_X509_AUX() failed (SSL: error:0480006C:PEM routines::no start line:Expecting: TRUSTED CERTIFICATE)
nginx: [warn] duplicate extension "wasm", content type: "application/wasm", previous content type: "application/wasm" in /etc/nginx/conf.d/discourse.conf:4
nginx: [emerg] cannot load certificate "/shared/ssl/forums.penttbomb.com_ecc.cer": PEM_read_bio_X509_AUX() failed (SSL: error:0480006C:PEM routines::no start line:Expecting: TRUSTED CERTIFICATE)
nginx: [warn] duplicate extension "wasm", content type: "application/wasm", previous content type: "application/wasm" in /etc/nginx/conf.d/discourse.conf:4
nginx: [emerg] cannot load certificate "/shared/ssl/forums.penttbomb.com_ecc.cer": PEM_read_bio_X509_AUX() failed (SSL: error:0480006C:PEM routines::no start line:Expecting: TRUSTED CERTIFICATE)
nginx: [warn] duplicate extension "wasm", content type: "application/wasm", previous content type: "application/wasm" in /etc/nginx/conf.d/discourse.conf:4
nginx: [emerg] cannot load certificate "/shared/ssl/forums.penttbomb.com_ecc.cer": PEM_read_bio_X509_AUX() failed (SSL: error:0480006C:PEM routines::no start line:Expecting: TRUSTED CERTIFICATE)
nginx: [warn] duplicate extension "wasm", content type: "application/wasm", previous content type: "application/wasm" in /etc/nginx/conf.d/discourse.conf:4
nginx: [emerg] cannot load certificate "/shared/ssl/forums.penttbomb.com_ecc.cer": PEM_read_bio_X509_AUX() failed (SSL: error:0480006C:PEM routines::no start line:Expecting: TRUSTED CERTIFICATE)
nginx: [warn] duplicate extension "wasm", content type: "application/wasm", previous content type: "application/wasm" in /etc/nginx/conf.d/discourse.conf:4
nginx: [emerg] cannot load certificate "/shared/ssl/forums.penttbomb.com_ecc.cer": PEM_read_bio_X509_AUX() failed (SSL: error:0480006C:PEM routines::no start line:Expecting: TRUSTED CERTIFICATE)
nginx: [warn] duplicate extension "wasm", content type: "application/wasm", previous content type: "application/wasm" in /etc/nginx/conf.d/discourse.conf:4
nginx: [emerg] cannot load certificate "/shared/ssl/forums.penttbomb.com_ecc.cer": PEM_read_bio_X509_AUX() failed (SSL: error:0480006C:PEM routines::no start line:Expecting: TRUSTED CERTIFICATE)
nginx: [warn] duplicate extension "wasm", content type: "application/wasm", previous content type: "application/wasm" in /etc/nginx/conf.d/discourse.conf:4
nginx: [emerg] cannot load certificate "/shared/ssl/forums.penttbomb.com_ecc.cer": PEM_read_bio_X509_AUX() failed (SSL: error:0480006C:PEM routines::no start line:Expecting: TRUSTED CERTIFICATE)
nginx: [warn] duplicate extension "wasm", content type: "application/wasm", previous content type: "application/wasm" in /etc/nginx/conf.d/discourse.conf:4
nginx: [emerg] cannot load certificate "/shared/ssl/forums.penttbomb.com_ecc.cer": PEM_read_bio_X509_AUX() failed (SSL: error:0480006C:PEM routines::no start line:Expecting: TRUSTED CERTIFICATE)
nginx: [warn] duplicate extension "wasm", content type: "application/wasm", previous content type: "application/wasm" in /etc/nginx/conf.d/discourse.conf:4
nginx: [emerg] cannot load certificate "/shared/ssl/forums.penttbomb.com_ecc.cer": PEM_read_bio_X509_AUX() failed (SSL: error:0480006C:PEM routines::no start line:Expecting: TRUSTED CERTIFICATE)
nginx: [warn] duplicate extension "wasm", content type: "application/wasm", previous content type: "application/wasm" in /etc/nginx/conf.d/discourse.conf:4
nginx: [emerg] cannot load certificate "/shared/ssl/forums.penttbomb.com_ecc.cer": PEM_read_bio_X509_AUX() failed (SSL: error:0480006C:PEM routines::no start line:Expecting: TRUSTED CERTIFICATE)
nginx: [warn] duplicate extension "wasm", content type: "application/wasm", previous content type: "application/wasm" in /etc/nginx/conf.d/discourse.conf:4
nginx: [emerg] cannot load certificate "/shared/ssl/forums.penttbomb.com_ecc.cer": PEM_read_bio_X509_AUX() failed (SSL: error:0480006C:PEM routines::no start line:Expecting: TRUSTED CERTIFICATE)
nginx: [warn] duplicate extension "wasm", content type: "application/wasm", previous content type: "application/wasm" in /etc/nginx/conf.d/discourse.conf:4
nginx: [emerg] cannot load certificate "/shared/ssl/forums.penttbomb.com_ecc.cer": PEM_read_bio_X509_AUX() failed (SSL: error:0480006C:PEM routines::no start line:Expecting: TRUSTED CERTIFICATE)
nginx: [warn] duplicate extension "wasm", content type: "application/wasm", previous content type: "application/wasm" in /etc/nginx/conf.d/discourse.conf:4
nginx: [emerg] cannot load certificate "/shared/ssl/forums.penttbomb.com_ecc.cer": PEM_read_bio_X509_AUX() failed (SSL: error:0480006C:PEM routines::no start line:Expecting: TRUSTED CERTIFICATE)
nginx: [warn] duplicate extension "wasm", content type: "application/wasm", previous content type: "application/wasm" in /etc/nginx/conf.d/discourse.conf:4
nginx: [emerg] cannot load certificate "/shared/ssl/forums.penttbomb.com_ecc.cer": PEM_read_bio_X509_AUX() failed (SSL: error:0480006C:PEM routines::no start line:Expecting: TRUSTED CERTIFICATE)
nginx: [warn] duplicate extension "wasm", content type: "application/wasm", previous content type: "application/wasm" in /etc/nginx/conf.d/discourse.conf:4
nginx: [emerg] cannot load certificate "/shared/ssl/forums.penttbomb.com_ecc.cer": PEM_read_bio_X509_AUX() failed (SSL: error:0480006C:PEM routines::no start line:Expecting: TRUSTED CERTIFICATE)

It also shows rate limit messages from Let's Encrypt (e.g., "too many certificates (5) already issued for this exact set of domains...").

I'm using Nginx as part of the official Discourse Docker installation. (Nginx version is the one bundled in the Discourse image) I don't know what version either as when I run command it says nginx doesn't exist yet it appears on HTTP but not HTTPS.

The operating system my web server runs on is (include version):
The host is running Ubuntu (e.g., Ubuntu 20.04 LTS on a Hetzner VPS).

My hosting provider, if applicable, is:
Hetzner

I can login to a root shell on my machine:
Yes (I have sudo/root access via SSH).

I'm using a control panel to manage my site:
No, I’m managing it via the command line and the Discourse Docker setup.

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): none of these commands worked for me at all.

I'm using acme.sh as integrated in the Discourse Docker setup (version not specifically determined).

I've been trying to get my Discourse installation running over HTTPS for the past 3–4 days. I'm extremely new to this and have been troubleshooting this issue relentlessly and I'm becoming quite overwhelmed with everything. The RSA certificate is issued and installed successfully, but the ECC certificate is failing to load—causing Nginx to refuse HTTPS connections. Additionally, I'm hitting a rate limit error from Let's Encrypt that prevents further certificate requests.

Do I really have to wait a whole week for the rate limit to reset, or is there a way to disable ECC certificate issuance completely? Yesterday it said to retry after 2025-04-02 16:26:56 UTC and I did that and now it's saying retry after 2025-04-04 02:21:19 UTC. Any guidance on resolving any errors would be immensely appreciated.

Thank you very much for your help!

Cheers

If you have an RSA certificate why are you trying to get an EC certificate? You only really need one (although it's possible to offer both, you usually don't need to).

The other errors regarding duplicate mime types for wasm etc sound like this: Certbot misconfiguration error: "duplicate extension "wasm"" and "no "ssl_certificate"" errors - #5 by webprofusion

4 Likes

As webprofusion noted, if you have an RSA cert you don't need an ECDSA one. Problems with setting up both are best directed to the discourse community: https://meta.discourse.org/

As for the Rate Limit, getting both RSA and ECDSA will more quickly reach the rate limit you've seen. You get 5 identical certs (based on domain(s) alone) per week although you get an extra every 34 hours. See: Rate Limits - Let's Encrypt

Right now I don't see anything replying to HTTPS (port 443) requests. You said you had RSA working but looks to me like nothing is listening there. Nevermind if this is expected at this stage.

Ideally you would use the Let's Encrypt Staging system while testing. That has more relaxed rate limits. I don't know how you set that in your setup script. Again, maybe ask the Discourse people how you do that. You said your script came from that.

4 Likes