I get cert Limit, but i didin't create new certs

Hi, I’m trying since two weeks request new certificates for new subdomains. But i’m facing all time with the “too many certificates already issued for exact set of domains” error.

I don’t know how debug all my let’s encrypt request for all my servers. But if the limit is 20 new certificates per week I should be able to create new one.

Maybe some machine is requesting infinite certs? That certs would be copies and i want generate new one with new subdomain. How can i debug it?

Thanks.

My domain is: mrjeffapp.net

I ran this command: Traefik did

It produced this output: too many certificates already issued for exact set of domains

The operating system my web server runs on is (include version): Ubuntu 16.04

My hosting provider, if applicable, is: Route53

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): -

Hi @PabloBor

you have a lot of certificates:

https://transparencyreport.google.com/https/certificates?cert_search_auth=&cert_search_cert=&cert_search=include_expired:false;include_subdomains:true;domain:mrjeffapp.net;issuer_uid:4428624498008853827&lu=cert_search

apps.v1.backend.mrjeffapp.net has 5 certificates created 2018-07-05. This hits a limit.

https://transparencyreport.google.com/https/certificates?cert_search_auth=&cert_search_cert=&cert_search=include_expired:false;include_subdomains:false;domain:apps.v1.backend.mrjeffapp.net&lu=cert_search

Why there are so many certificates created?

Normally, you should create one certificate - and use it 60 - 85 days, then renew it

Hi,

Although I'm not sure what is traefik, I'm suspecting it would act like a docker environment (I mean in apply for certificate)... Hense if you redeploy or edit, it's easy to hit the rate limit....

(Try to apply & renew the certificate outside this environment & copy the certificate to it instead)

Thank you

I have 3 new servers with certificate in a kubernetes cluster, this 3 servers are the endpoints. (Maybe i could share filesystem and only use one)

Otherwise those certificates are replicas. I want create new subdomains.

I think this is the problem (there are other threads). If you use kubernetes, you must store the account-keys and the certificates outside of this environment.

So if you destroy und recreate your environment, the older account keys and certificates can be reused.

Yep, look there:

In some cases, Kubernetes cluster produces a lot of traffic

Thanks! I will take care about this.

But im facing with “too many certificates already issued for exact set of domains”, last certificate requested (using https://transparencyreport.google.com/https/certificates) was on Jul 5, today is 16 and i still with same issue.

Do I have the IP blocked?

If i have certs like foo.foo2.foo3.domain.net can i group them with *.domain.net wildcard?

Your last cert was issued on July 11th.

No, you can't. a wildcard is only valid for 1 level, that means:

*.domain.tld covers foo.domain.tld, bar.domain.tld but doesn't cover domain.tld nor bar.foo.domain.tld.

Anyway, you can have wildcards on different levels too, for example:

*.foo.domain.tld and it will cover bar.foo.domain.tld but won't cover domain.tld nor foo.domain.tld nor foo.bar.foo.domain.tld

Cheers,
sahsanu

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.