I keep getting this when trying to renew an expired certificate

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
dinetechcb.dyndns.org
I ran this command: "Renew Certificate" for dinetechcb.dyndns.org Let's Encrypt Authority X3, Expired 2020-05-15. It compiles a file and tells me to send it to a third party CA. If I'm RENEWING a Let's Encrypt certificate, why doesn't it automatically go to Let's Encrypt?
If I chose Create a Let's Encrypt certificate is gives me this: "According to Let's Encrypt policies, the number of email addresses for certificate registration and the number of certificate requests for a domain are both limited."
At no time did I ever get an email from Let's Encrypt that my certificate was expiring and Synology is suppose to Auto-renew.

My web server is (include version): NA

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): I have Admin RW

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

2 Likes

Welcome to the Let's Encrypt Community, Tom :slightly_smiling_face:

It appears you've hit the duplicate certificate limit (5 certificates with the same SANs in any order in any given 7-day period) for dinetechcb.dyndns.org.

Renewals are treated specially: they don’t count against your Certificates per Registered Domain limit, but they are subject to a Duplicate Certificate limit of 5 per week. Exceeding the Duplicate Certificate limit is reported with the error message too many certificates already issued for exact set of domains.

dinetechcb.dyndns.org certificates
2 Likes

In this case, it's actually dinetechcb.dyndns.org which is rate limited. dyndns.org is on the PSL.

It looks like 5 duplicate certificates for this domain were created 5-6 days ago, so you'll have to wait another 22-ish hours in order to create another certificate.

I guess you should also look into why Synology is continually renewing this certificate, instead of using the certificate that it just renewed recently.

3 Likes

In this case, dyndns.org is included in PSL so the apex domain is actually dinetechcb.dyndns.org

Edit: I didn't see @_az already said it.

1 Like

Yeah, you just got ahead of me as usual, @_az. :slightly_smiling_face:

I even posted a link to the PSL before checking it.

:man_facepalming:

1 Like

I get it already. I jumped the gun before finishing my check. :slightly_smiling_face:

3 Likes

@_az, @sahsanu

What I don't get is what happened. Based on the certificate history, it looks like the autorenewals were going great for a year then suddenly there's an early renewal five times?

2 Likes

Yeah, that is strange but maybe op has been trying to do it manually or it is automatic but it is not finishing the process to install it on the system and it is trying to do it once and again. I've never used Synology so no idea how it works.

3 Likes

I believe it to be a manual attempt too. The autorenewal shouldn't have even been attempted until late February.

2 Likes

Thank you.....according to Synology, a monkey could do this, so I guess I'm not as smart as a monkey

3 Likes

Thank you, but if it was just renewed recently, it never got back to me nor the server.
It was simple setting up and in reading all about how many certificates you can have (5000) this makes not sense, but it's out of my wheel house of understanding......sorry

2 Likes

@CB57

Autorenewal of your certificate shouldn't have even been attempted until late February. Did you try to manually renew/reissue the certificate?

2 Likes

I attempted this after installing a Synology router. I forgot to open the 443 and 80 port and tried too many times. It's open now, so do I have to wait 10 days and it should renew? Or 22ish hours?
Thanks again for helping.

1 Like

20 hours, at 2021-Jan-09 21:12:00 UTC you should be able to issue a new cert for your domain.

2 Likes

Yet you were able to successfully acquire 5 certificates in under a week? Where did they go?

1 Like

I have no Idea, but thank you for your help……………I’m all setup now. I was able to renew today. I’ve setup 90 day reminders and will see if Synology auto-renews, like they say

Tom

1 Like

Thank you, Sahsanu, I was able to renew all today and have setup 90 day reminders in case Synology doesn’t auto-renew

Tom

2 Likes