Hit the Rate Limit


#1

Hi there,
since the recent problems with the TLS-SNI challenge our renewal automation tried to renew the certs like usual and brought us into the rate limit.

Error Message:
Attempting to renew cert (—) from /etc/letsencrypt/renewal/----.conf produced an unexpected error: urn:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new cert :: too many certificates already issued for exact set of domains:

My question is could someone remove the ratelimit for some of our domains so we can renew our certs or do we need to wait the assigned period? This would amount into some of our certificates expiring.

We allready changed all the challenges to the http01 challenge.

Greetings Vash


#2

That error means somebody (either on that server or on another server on your domains) got a duplicate certificate containing the same set of domains successfully. If you had run into the TLS-SNI issue, you would’ve received an error similar to the one described in Solution: Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA). Based on that, it looks like your cert renewed properly?

If not, there’s no way to reset the rate limits manually, so you’ll have to wait for the rate limits to expire as described in https://letsencrypt.org/docs/rate-limits/). If you post your domain here, we can look up your domain and see which certs have been issued (Let’s Encrypt logs this info by default, so hiding your domain here doesn’t do much). If you’re hesitant, you can check yourself at https://crt.sh to see how many certificates have been issued for your domain.


#3

Yeah i thought so https://crt.sh tells me that there are 5 certificates allready issued for that specific domain.

I guess the certificates where issued via lets encrypt but were never delivered to our webserver since every browser still says the certificates will expire soon.

Cert.sh certs regarding that domain:

2018-01-12 2018-01-12 C=US, O=Let’s Encrypt, CN=Let’s Encrypt Authority X3
2018-01-10 2018-01-10 C=US, O=Let’s Encrypt, CN=Let’s Encrypt Authority X3
2018-01-10 2018-01-10 C=US, O=Let’s Encrypt, CN=Let’s Encrypt Authority X3
2018-01-10 2018-01-10 C=US, O=Let’s Encrypt, CN=Let’s Encrypt Authority X3
2018-01-10 2018-01-10 C=US, O=Let’s Encrypt, CN=Let’s Encrypt Authority X3

#4

If the certificates are, in fact, on your server, you can download the certificate from crt.sh onto your server (if you have the private key). Although, they should already be there if you were using the certbot client. Have you tried restarting whatever web server you’re using? That should trigger your web server to load whatever is currently linked in /etc/letsencrypt/live/<yourdomain>


#5

Yeah i tried to restart the webserver allready but i got no new certificate.
Ty i didn’t think about downloading it via crt.sh i think that should fix my problem.
Still strange it didn’t automatically update our cert on the webserver. (I use the certbot client)


#6

One common situation that leads to your problem: Running certbot with --renew-by-default or --force-renewal, and running it in a nightly or hourly cron job. You should check all your cronjobs (as root, and as non-root, and in /etc/cron.d) and see what commands they are running Certbot with.

Also, I’d recommend running sudo ls -lR /etc/letsencrypt/archive/ to see what certificates you may have lying around from previous runs.


#7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.