I get cert Limit, but i didin't create new certs


#1

Hi, I’m trying since two weeks request new certificates for new subdomains. But i’m facing all time with the “too many certificates already issued for exact set of domains” error.

I don’t know how debug all my let’s encrypt request for all my servers. But if the limit is 20 new certificates per week I should be able to create new one.

Maybe some machine is requesting infinite certs? That certs would be copies and i want generate new one with new subdomain. How can i debug it?

Thanks.

My domain is: mrjeffapp.net

I ran this command: Traefik did

It produced this output: too many certificates already issued for exact set of domains

The operating system my web server runs on is (include version): Ubuntu 16.04

My hosting provider, if applicable, is: Route53

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): -


#2

Hi @PabloBor

you have a lot of certificates:

https://transparencyreport.google.com/https/certificates?cert_search_auth=&cert_search_cert=&cert_search=include_expired:false;include_subdomains:true;domain:mrjeffapp.net;issuer_uid:4428624498008853827&lu=cert_search

apps.v1.backend.mrjeffapp.net has 5 certificates created 2018-07-05. This hits a limit.

https://transparencyreport.google.com/https/certificates?cert_search_auth=&cert_search_cert=&cert_search=include_expired:false;include_subdomains:false;domain:apps.v1.backend.mrjeffapp.net&lu=cert_search

Why there are so many certificates created?

Normally, you should create one certificate - and use it 60 - 85 days, then renew it


#3

Hi,

Although I’m not sure what is traefik, I’m suspecting it would act like a docker environment (I mean in apply for certificate)… Hense if you redeploy or edit, it’s easy to hit the rate limit…

(Try to apply & renew the certificate outside this environment & copy the certificate to it instead)

Thank you


#4

I have 3 new servers with certificate in a kubernetes cluster, this 3 servers are the endpoints. (Maybe i could share filesystem and only use one)

Otherwise those certificates are replicas. I want create new subdomains.


#5

I think this is the problem (there are other threads). If you use kubernetes, you must store the account-keys and the certificates outside of this environment.

So if you destroy und recreate your environment, the older account keys and certificates can be reused.


#6

Yep, look there:

In some cases, Kubernetes cluster produces a lot of traffic


#7

Thanks! I will take care about this.

But im facing with “too many certificates already issued for exact set of domains”, last certificate requested (using https://transparencyreport.google.com/https/certificates) was on Jul 5, today is 16 and i still with same issue.

Do I have the IP blocked?

If i have certs like foo.foo2.foo3.domain.net can i group them with *.domain.net wildcard?


#8

Your last cert was issued on July 11th.

No, you can’t. a wildcard is only valid for 1 level, that means:

*.domain.tld covers foo.domain.tld, bar.domain.tld but doesn’t cover domain.tld nor bar.foo.domain.tld.

Anyway, you can have wildcards on different levels too, for example:

*.foo.domain.tld and it will cover bar.foo.domain.tld but won’t cover domain.tld nor foo.domain.tld nor foo.bar.foo.domain.tld

Cheers,
sahsanu


#9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.