It went through in series, I added DNS validation for each one. All good, but when it prompted me to validate each domain it didn't download the certificates.
So now when I just do a command like this:
certbot certonly -a manual --preferred-challenges dns -d www.mydomain.com
I get
Press Enter to Continue
Waiting for verification...
Cleaning up challenges
An unexpected error occurred:
There were too many requests of a given type :: Error creating new cert :: too many certificates already issued for: www.mydomain.com
Please see the logfiles in /var/log/letsencrypt for more details.
How do I just download the certs after the domain has been already verified without this error?
“certonly” should place links to the cert in the /etc/letsencrypt/live/www.mydomain.com/ folder.
The actual files are found in the /etc/letsencrypt/archive/www.domain.com/ folder.
But you should use the live links as they will always point to the latest certs.
Revoking is only necessary if you’ve lost control of the private key and such - so, no, don’t revoke any.
Revoking won’t affect the limits.
So you have 100 individual certs and you want one cert with all the names in it?
I’m having trouble understating what you want to do…
If you do want just one cert with 100 names on it, just add
-d name1 -d name2 -d name3 … -d name100
to the certbot request.
You should be able to see a full list of all the certs with certbot cerificates
which will list out the certs like this:
Found the following certs:
Certificate Name: www.domain.com
Domains: www.domain.com
Expiry Date: 2017-12-02 03:18:00+00:00 (VALID: 67 days)
Certificate Path: /etc/letsencrypt/live/www.domain.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.domain.com/privkey.pem
When I do certbot cerificates, it shows all my sub-domains, under another sub-domain.
Is this problematic? Note everything I'm doing here is on sub domains.
In my head I should delete this sub domain that has all the other sub domains on the same certificate as that structure / hierarchy doesn't seem right to me?
All the certs that are issued are public information, so holding back the names doesn’t really help in the troubleshooting process and it doesn’t reveal anything that isn’t already public.
For example, you can go to: https://crt.sh/ and enter your domain name and see all the issued certs (publicly).
So, can you show the example of what you have and what you want?
So, you can
certbot delete
and go through the list removing any that have names incorrectly grouped.
Or delete them all and get new certs ensuring to include only the names that you want grouped together in the same cert request.
well I can, but it seems wrong that they are grouped under another sub-domain, but if that will work for any of those sub domains associated with that certificate I’ll just keep it as is now, because of the rate limiting issue
I agree with @mnordhoff: the big certificate can actually be useful because of Let’s Encrypt rate limits. If you made several large certificates instead of many small certificates, you might not have encountered the rate limit as quickly. Now that you’ve encountered the rate limit, you may have to wait for a few days in order to be able to issue more certificates.
A certificate containing several or many subject alternative names, like this one, is considered valid for any of those names. Let’s Encrypt allows you to request certificates that cover up to 100 names per certificate, which can be related to each other in any way, or not related to each other at all.
For historical reasons, certificates contain a list of Subject Alternative Names (up to 100, for Let's Encrypt) and (almost always) a Common Name field, which contains only 1 name. (That name is also included in the SAN list.)
The Common Name field has been deprecated and obsolete for about 15 years; naturally almost every certificate still includes it.
Unless you're dealing with really, really obsolete software (circa 2000-2005, wget until 2011, or some obscure client of questionable utility) none of this matters. The client consults the SAN list, and may even entirely ignore the CN field.
(Browser "certificate info" windows still often display the CN with misleading prominence and bury the SAN list. This is bad UI design, but doesn't significantly matter.)
As Certbot and Let's Encrypt are designed, they stuck the first name in the first "-d" argument in the Common Name field, Certbot used it in its filenames, and it's displayed more prominently in "certbot certificates". But none of it matters in any practical way.
ok wow the support here is really nice… Thank you all for commenting…
Trying now to make sure it works. If I want to move my certbot (on local) up to the server is this possible? I’m just doing everything manually at this point no automation
Certbot is really intended to be run on the server rather than on your own computer. It can potentially automatically configure Apache or nginx for you and also renew the certificates automatically!
can i ask why you are trying to use Let’s Encrypt?
I know this is a Let’s Encrypt forum but you have what looks like a redirect straight to you www.kwickcopy.com.au website which has a valid certificate from Comodo.
One of the things that is good to understand is what exactly you are trying to do.
This will allow people to give accurate advise. I think you know the end goal but haven’t explored the options and are jumping around.
A) Is your end state that each store has their own domain in the form www.storelocation.kwikcopy.com.au
B) Will different stores have different portals or will they just redirect to your www.kwikcopy.com.au parent domain
C) I assume when people go to a store site for example https://www.adelaide.kwikcopy.com.au they are getting redierected to your parent domain with no issues (is this the role of the SSL certificate from let’s encrypt?)
D) I can see some of the stores do not redirect cleanly - are you updating the binding for each store?
After this I discovered we had sub-domains advertised 2 levels deep (www.adelaide.kwikkopy.com.au), which weren’t covered by our wild card cert. Letsencrypt site said it doesn’t cover wildcard certs so didn’t get the core cert done this way. Yes I know it’s coming but it’s not here today.
Therefore my only way I know to get these 2 level deep sub-domains working with SSL is to have a cert for each one, or a grouped cert. I’ve done a few but need to work through the rest, and that is where I was getting the error.
Yes they redirect to the main site, but those redirects break if SSL isn’t setup correctly.
Yes I know about the plugins, automations etc but the webserver hosts serveral sites, and I there is some overhead in learning all the eco-system of tools so my focus has just been getting the certs done, and then I can circle back and learn all the tooling.
Yes I know DNSMADEEASY has an API, i’m not sure what value that will add as all the domains and verifications are setup.
The second option is if you have bindings/vhosts for each of your sites in apache the apache plugin will do all the work of setting up the challenges for you. This also has the advantage that it will create the HTTPS bindings or update them for you for the new certificate (which may make things easier).
If you run certbot --apache --staging you can see how this works
When you are trying things out it is recomended that you use the staging server as it’s unlikely to hit a rate limit while you are configuring various aspects
Both the DNS authenticators and the apache installer are designed to make things easier (ACME is supposed to be fairly automated) and it’s worthwhile getting this right now as you have to do this every 3 months