Hitting rate limit with only 6 certificates

Hi, I’m having trouble creating a new certificate for my domain. It says I have hit a rate limit, which I have looked up and it appears to be 20 per week (https://letsencrypt.org/docs/rate-limits/). However, when I look at the certificates issued to me there have only been 6 in the last week (https://crt.sh/?q=www.noisyleaf.co.uk). Why am I hitting a rate limit?

Thanks for the help. Information is below.

My domain is: www.noisyleaf.co.uk

I ran this command: certbot certonly

It produced this output: There were too many requests of a given type :: Error creating new cert :: too many certificates already issued for exact set of domains: www.noisyleaf.co.uk

My operating system is (include version): Debian GNU/Linux 8.8 (jessie)

My web server is (include version): Unknown (cloud host)
My hosting provider, if applicable, is: Digital Ocean droplet

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

You're hitting a different rate limit:

We also have a Duplicate Certificate limit of 5 certificates per week. A certificate is considered a duplicate of an earlier certificate if they contain the exact same set of hostnames, ignoring capitalization and ordering of hostnames. For instance, if you requested a certificate for the names [www.example.com, example.com], you could request four more certificates for [www.example.com, example.com] during the week. If you changed the set of names by adding [blog.example.com], you would be able to request additional certificates.

While that quote explains what you can do to issue more (14 more), why do you need so many identical certificates?

Thanks for the reply. I made a mistake in a cron job that caused the certificate to be renewed quite often, and having fixed that issue I would like to renew the certificate.

Wouldn’t I have to enter the new names into the DNS records for certbot to be able to verify them?

For instance, I tried to request a certificate for the domains "www.noisyleaf.co.uk,noisyleaf.co.uk" and got the following error:

IMPORTANT NOTES:

  • The following errors were reported by the server:

Domain: noisyleaf.co.uk
Type: connection
Detail: DNS problem: SERVFAIL looking up A for noisyleaf.co.uk

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.

I have a CNAME record for noisyleaf.co.uk -> www.noisyleaf.co.uk

The zone in DigitalOcean’s DNS manager is named “www.noisyleaf.co.uk.”. No “noisyleaf.co.uk.” zone exists, so queries for names that are’t under “``www.noisyleaf.co.uk.`” fail.

http://dnsviz.net/d/noisyleaf.co.uk/WR0NiA/dnssec/
http://dnsviz.net/d/www.noisyleaf.co.uk/WR0NkQ/dnssec/

You should change things so the zone is called “noisyleaf.co.uk.” and it has records called “www” and so forth.

I don’t know the best way to do that in terms of DigitalOcean’s control panel, though. Maybe you can rename the zone? Or add a new one, and then delete the old one? Or delete the old one first, causing a fairly short outage?

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.