I ran this command:
certbot certonly --dns-route53 --agree-tos
It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for *.core.in.pdx1.aws.live.obsec.run and 2 more domains
An unexpected error occurred:
Error creating new order :: too many certificates already issued for: obsec.run: see Rate Limits - Let's Encrypt
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
The question is: How to find the earliest time I can issue a new cert for my domain : obsec.run? Is there any log or API we can query?
These names consul03.core.in.fra1.aws.live-eu.obsec.run has been there for a long time, and they are renew failed. That actually confused me that how to query the earliest available new cert can be issued for obsec.run. I actually created lots of new certs for in.pdx1.aws.live.obsec.run during last weekend(10/17, 10/18).
I think it's a good idea to streamline your certificate issuance. Currently, it seems you're getting a certificate for a specific set of hostnames DAILY for a few days regularly. Then it stops.. Until there are again a few daily duplicates issued. And that's true for multiple sets of hostnames.
So to me that sounds like a very inefficient process being employed at your premise. Perhaps certain instances being started and stopped, issuing new certificates every time without storing the certs in a permanent place.
You might gain a lot by streamlining your certificate management.
Currently, I just install certbot on each of my host and configure them as a service and let it renew automatically. I use deploy hook to deploy to the real location which is used by application.
Yeah, that is the good idea! Do you have some example or document for me?
core.in.pdx1.aws.live.obsec.run is currently affected by Let's Encrypt-based rate limits (Rate Limits - Let's Encrypt). You may review certificates that have already been issued by visiting crt.sh | %obsec.run . Please note that it is not possible to ask for a rate limit to be manually cleared.
The 'Certificates per Registered Domain' limit (50 certificates per week that share the same Registered Domain: obsec.run) has been exceeded. There is no way to work around this rate limit. The next non-renewal certificate for this Registered Domain should be issuable after 2022-10-20 19:11:45 +0000 UTC (2h27m0s from now).
According to this, you won't be able to issue new certificates for another 3 days.
Disclaimer: I wrote this tool, but I'm not sure how wrong it is with regard to your domain. I can't see any certificates in crt.sh for *.core.in.pdx1.aws.live.obsec.run, so I would guess that this does not come under any renewal exemption, which means you'd have to wait the full 3 days.