Hit renewal rate limit

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): getssl.sh

Trying to renew certs and made repeated attempts due to my thinkiing it had failed, when in fact it had not. It was actually an option in my getssl.cfg that did not cause a new key to be generated, leading me to think renew had failed.

So on my last attempt, I got this message:
"There were too many requests of a given type :: Error creating new order :: too many certificates already issued for exact set of domains: [my domains]: see https://letsencrypt.org/docs/rate-limits/ "

I am unsure if this refers to the 1 hour limit, or the 1 week limit. If 1 week. is that calendar week or 7 days counting now?

If the latter, puts me very close to expiration of current cert. Can I use the newest files in archive to manually install them? (I normally manually install in any event). I hesitate to use those files without knowing if they are valid.

That message is about the one-week limit. A cert no longer counts against that limit once it's a week old, so you can issue another one a week after you made the first one. If you made all of those renewal attempts today, then that's a week from now.

The easiest workaround for this issue is to create a new subdomain and add it to the cert. For example, if your old cert was for example.com and www.example.com, then a cert for example.com, www.example.com, and www2.example.com won't be affected by the rate limit. You could issue that certificate now, then remove the extra subdomain a week from now.

Thanks, that could prove useful. It seems the subdomain in fact exist, as getssl.sh gave an error about not being able to reach it. I added and A record and can see it with dig and via mxtoolbox.com, but still got the error that DNS lookup failed.

I’m puzzled, since I can dig from the same session where I am running getssl.sh

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.