I just need to download certs (already registered them) but give me error

I’ve setup a bunch of certs ~ 100

It went through in series, I added DNS validation for each one. All good, but when it prompted me to validate each domain it didn’t download the certificates.

So now when I just do a command like this:

certbot certonly -a manual --preferred-challenges dns -d www.mydomain.com

I get

Press Enter to Continue
Waiting for verification…
Cleaning up challenges
An unexpected error occurred:
There were too many requests of a given type :: Error creating new cert :: too many certificates already issued for: www.mydomain.com
Please see the logfiles in /var/log/letsencrypt for more details.

How do I just download the certs after the domain has been already verified without this error?

“certonly” should place links to the cert in the /etc/letsencrypt/live/www.mydomain.com/ folder.
The actual files are found in the /etc/letsencrypt/archive/www.domain.com/ folder.
But you should use the live links as they will always point to the latest certs.

Yeah I’ve worked out what I’ve done, I didn’t add -d for each domain, so now I have 1 sub-domain, with 100 or so sub-domains associated with it.

I’m assuming this won’t work? If I revoke that certificate can I re-create them without any limits i.e will it reset my limits if I revoke?

e.g
Certificate Name: www.sub.main.com
Domains: www.sub1.main.com… (100 or so domains here)

Revoking is only necessary if you’ve lost control of the private key and such - so, no, don’t revoke any.
Revoking won’t affect the limits.

So you have 100 individual certs and you want one cert with all the names in it?
I’m having trouble understating what you want to do…

If you do want just one cert with 100 names on it, just add
-d name1 -d name2 -d name3 … -d name100
to the certbot request.

You should be able to see a full list of all the certs with
certbot cerificates
which will list out the certs like this:
Found the following certs:
Certificate Name: www.domain.com
Domains: www.domain.com
Expiry Date: 2017-12-02 03:18:00+00:00 (VALID: 67 days)
Certificate Path: /etc/letsencrypt/live/www.domain.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.domain.com/privkey.pem

  1. I needed to registers 100 subdomains.
  2. I did this as “-d www.sub1.domain.com,www.sub2.domain.com
  3. When I do certbot cerificates, it shows all my sub-domains, under another sub-domain.

Is this problematic? Note everything I’m doing here is on sub domains.

In my head I should delete this sub domain that has all the other sub domains on the same certificate as that structure / hierarchy doesn’t seem right to me?

All the certs that are issued are public information, so holding back the names doesn’t really help in the troubleshooting process and it doesn’t reveal anything that isn’t already public.
For example, you can go to: https://crt.sh/ and enter your domain name and see all the issued certs (publicly).

So, can you show the example of what you have and what you want?

The individual ones are good, but see how there is a bunch lumped under one cert? Need to fix that

Found the following certs:
Certificate Name: www.adelaide.kwikkopy.com.au-0001
Domains: www.adelaide.kwikkopy.com.au
Expiry Date: 2017-12-18 08:58:00+00:00 (VALID: 84 days)
Certificate Path: /etc/letsencrypt/live/www.adelaide.kwikkopy.com.au-0001/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.adelaide.kwikkopy.com.au-0001/privkey.pem
Certificate Name: www.adelaide.kwikkopy.com.au
Domains: www.adelaide.kwikkopy.com.au,www.albury.kwikkopy.com.au,www.alexandria.kwikkopy.com.au,www.annstreet.kwikkopy.com.au,www.artarmon.kwikkopy.com.au,www.auburn.kwikkopy.com.au,www.ballarat.kwikkopy.com.au,www.bayswater.kwikkopy.com.au,www.blacktown.kwikkopy.com.au,www.bondi.kwikkopy.com.au,www.botany.kwikkopy.com.au,www.bourkestreet.kwikkopy.com.au,www.braeside.kwikkopy.com.au,
Expiry Date: 2017-12-18 08:53:00+00:00 (VALID: 84 days)
Certificate Path: /etc/letsencrypt/live/www.adelaide.kwikkopy.com.au/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.adelaide.kwikkopy.com.au/privkey.pem
Certificate Name: www.albury.kwikkopy.com.au
Domains: www.albury.kwikkopy.com.au
Expiry Date: 2017-12-18 08:55:00+00:00 (VALID: 84 days)
Certificate Path: /etc/letsencrypt/live/www.albury.kwikkopy.com.au/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.albury.kwikkopy.com.au/privkey.pem
Certificate Name: www.alexandria.kwikkopy.com.au
Domains: www.alexandria.kwikkopy.com.au
Expiry Date: 2017-12-18 09:00:00+00:00 (VALID: 84 days)
Certificate Path: /etc/letsencrypt/live/www.alexandria.kwikkopy.com.au/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.alexandria.kwikkopy.com.au/privkey.pem

I needed to truncate that list as I could post due to link limit

I see there was a cert with many names issued: https://crt.sh/?id=213275348
But then a single cert was also issued: https://crt.sh/?id=213276370

So, you can
certbot delete
and go through the list removing any that have names incorrectly grouped.
Or delete them all and get new certs ensuring to include only the names that you want grouped together in the same cert request.

Before you go deleting things, keep in mind the Let’s Encrypt rate limits.

https://letsencrypt.org/docs/rate-limits/

In particular, if 20 certificates for the domain kwikkopy.com.au have already been issued this week, you won’t be able to create more immediately.

Why do you need or want a large number of certificates? Why not use the big certificate you have now?

well I can, but it seems wrong that they are grouped under another sub-domain, but if that will work for any of those sub domains associated with that certificate I’ll just keep it as is now, because of the rate limiting issue

If it works I'm fine with this, I was just coming from my mental map and comparing it to the mess I made

I agree with @mnordhoff: the big certificate can actually be useful because of Let’s Encrypt rate limits. If you made several large certificates instead of many small certificates, you might not have encountered the rate limit as quickly. Now that you’ve encountered the rate limit, you may have to wait for a few days in order to be able to issue more certificates.

A certificate containing several or many subject alternative names, like this one, is considered valid for any of those names. Let’s Encrypt allows you to request certificates that cover up to 100 names per certificate, which can be related to each other in any way, or not related to each other at all.

For historical reasons, certificates contain a list of Subject Alternative Names (up to 100, for Let’s Encrypt) and (almost always) a Common Name field, which contains only 1 name. (That name is also included in the SAN list.)

The Common Name field has been deprecated and obsolete for about 15 years; naturally almost every certificate still includes it.

Unless you’re dealing with really, really obsolete software (circa 2000-2005, wget until 2011, or some obscure client of questionable utility) none of this matters. The client consults the SAN list, and may even entirely ignore the CN field.

(Browser “certificate info” windows still often display the CN with misleading prominence and bury the SAN list. This is bad UI design, but doesn’t significantly matter.)

As Certbot and Let’s Encrypt are designed, they stuck the first name in the first “-d” argument in the Common Name field, Certbot used it in its filenames, and it’s displayed more prominently in “certbot certificates”. But none of it matters in any practical way.

ok wow the support here is really nice… Thank you all for commenting…

Trying now to make sure it works. If I want to move my certbot (on local) up to the server is this possible? I’m just doing everything manually at this point no automation

Certbot is really intended to be run on the server rather than on your own computer. It can potentially automatically configure Apache or nginx for you and also renew the certificates automatically!

Yep that’s why I want to move it there

hi @brettskiii

can i ask why you are trying to use Let’s Encrypt?

I know this is a Let’s Encrypt forum but you have what looks like a redirect straight to you www.kwickcopy.com.au website which has a valid certificate from Comodo.

One of the things that is good to understand is what exactly you are trying to do.

This will allow people to give accurate advise. I think you know the end goal but haven’t explored the options and are jumping around.

A) Is your end state that each store has their own domain in the form www.storelocation.kwikcopy.com.au
B) Will different stores have different portals or will they just redirect to your www.kwikcopy.com.au parent domain
C) I assume when people go to a store site for example https://www.adelaide.kwikcopy.com.au they are getting redierected to your parent domain with no issues (is this the role of the SSL certificate from let’s encrypt?)
D) I can see some of the stores do not redirect cleanly - are you updating the binding for each store?

E) Are you aware of DNSMADEEASY API and how it might potentially simplify things for you? https://www.dnsmadeeasy.com/integration/restapi/ and more specifically https://github.com/certbot/certbot/tree/master/certbot-dns-dnsmadeeasy

F) Are you using APACHE with Wordpress?? Are you aware of the Apache plugin and how it could potentially make things easier for you?

Andrei

  1. We moved our website to SSL.
  2. After this I discovered we had sub-domains advertised 2 levels deep (www.adelaide.kwikkopy.com.au), which weren’t covered by our wild card cert. Letsencrypt site said it doesn’t cover wildcard certs so didn’t get the core cert done this way. Yes I know it’s coming but it’s not here today.
  3. Therefore my only way I know to get these 2 level deep sub-domains working with SSL is to have a cert for each one, or a grouped cert. I’ve done a few but need to work through the rest, and that is where I was getting the error.
  4. Yes they redirect to the main site, but those redirects break if SSL isn’t setup correctly.
  5. Yes I know about the plugins, automations etc but the webserver hosts serveral sites, and I there is some overhead in learning all the eco-system of tools so my focus has just been getting the certs done, and then I can circle back and learn all the tooling.
  6. Yes I know DNSMADEEASY has an API, i’m not sure what value that will add as all the domains and verifications are setup.

great

Then I would suggest one certificate with all your www.shopname.kwikkopy.com.au subdomians

I wrote an article about the DNS validators and how they can help automate things even further (not needing to manually add dns records). Tutorial - Certbot Cloudflare DNS with Apache Web Servers on Ubuntu 16.10

The second option is if you have bindings/vhosts for each of your sites in apache the apache plugin will do all the work of setting up the challenges for you. This also has the advantage that it will create the HTTPS bindings or update them for you for the new certificate (which may make things easier).

If you run certbot --apache --staging you can see how this works

When you are trying things out it is recomended that you use the staging server as it’s unlikely to hit a rate limit while you are configuring various aspects

Both the DNS authenticators and the apache installer are designed to make things easier (ACME is supposed to be fairly automated) and it’s worthwhile getting this right now as you have to do this every 3 months

Andrei