How to query my next available time to create new certificates

My domain is: obsec.run

I ran this command:
certbot certonly --dns-route53 --agree-tos

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for *.core.in.pdx1.aws.live.obsec.run and 2 more domains
An unexpected error occurred:
Error creating new order :: too many certificates already issued for: obsec.run: see Rate Limits - Let's Encrypt
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

The question is: How to find the earliest time I can issue a new cert for my domain : obsec.run? Is there any log or API we can query?

Hello @awang, welcome to the Let's Encrypt community. :slightly_smiling_face:

Here is a list of issued certificates https://crt.sh/?q=obsec.run, the latest being 2022-10-19.

There have been a lot of issued certificates that look the same and very recent.

Testing and debugging are best done using the Staging Environment as the Rate Limits are much higher. Rate Limits are per week (rolling).

And to assist with debugging there is a great place to start is Let's Debug.

2 Likes

Thanks Bruce5051!

These names consul03.core.in.fra1.aws.live-eu.obsec.run has been there for a long time, and they are renew failed. That actually confused me that how to query the earliest available new cert can be issued for obsec.run. I actually created lots of new certs for in.pdx1.aws.live.obsec.run during last weekend(10/17, 10/18).

1 Like

I think it's a good idea to streamline your certificate issuance. Currently, it seems you're getting a certificate for a specific set of hostnames DAILY for a few days regularly. Then it stops.. Until there are again a few daily duplicates issued. And that's true for multiple sets of hostnames.

So to me that sounds like a very inefficient process being employed at your premise. Perhaps certain instances being started and stopped, issuing new certificates every time without storing the certs in a permanent place.

You might gain a lot by streamlining your certificate management.

4 Likes

Thanks Osiris!
Currently, I just install certbot on each of my host and configure them as a service and let it renew automatically. I use deploy hook to deploy to the real location which is used by application.
Yeah, that is the good idea! Do you have some example or document for me?

1 Like

I figured out lets debug actually give us the details.

RateLimit

ERROR

core.in.pdx1.aws.live.obsec.run is currently affected by Let's Encrypt-based rate limits (Rate Limits - Let's Encrypt). You may review certificates that have already been issued by visiting crt.sh | %obsec.run . Please note that it is not possible to ask for a rate limit to be manually cleared.

The 'Certificates per Registered Domain' limit (50 certificates per week that share the same Registered Domain: obsec.run) has been exceeded. There is no way to work around this rate limit. The next non-renewal certificate for this Registered Domain should be issuable after 2022-10-20 19:11:45 +0000 UTC (2h27m0s from now).

Thanks!

1 Like

I'm afraid not, often systems requiring such streamlining are very different from each other, so no "one size fits all" example or documentation can be made.

4 Likes

But looks like the estimation from let debug is incorrect. I still get the same error.

According to this, you won't be able to issue new certificates for another 3 days.

Disclaimer: I wrote this tool, but I'm not sure how wrong it is with regard to your domain. I can't see any certificates in crt.sh for *.core.in.pdx1.aws.live.obsec.run, so I would guess that this does not come under any renewal exemption, which means you'd have to wait the full 3 days.

4 Likes

Thanks _az!

This result makes sense:
The next non-renewal certificate for obsec.run will be issuable again on 23 Oct 2022 21:00:50 UTC.

Bests,
Autumn Wang

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.