Import/export to second machine using win-acme

bnicer · December 31, 2020, 1:31pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: (www).teanow5pm.co.uk

I ran this command: F:\letsencrypt\wacs.exe --renew --baseuri "https://acme-v02.api.letsencrypt.org/"

It produced this output: Failed to create order: Error creating new order :: too many certificates already issued for exact set of domains: www.teanow5pm.co.uk: see https://letsencrypt.org/docs/rate-limits/

My web server is (include version): WAMP -- Apache 2.4.38b

The operating system my web server runs on is (include version): Windows 10

My hosting provider, if applicable, is: me -- local domain that emulates live server (development), although the domain is real

I can login to a root shell on my machine (yes or no, or I don't know): command prompt only on Windows

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): n/a

Hello,
The other day I dusted off a Windows 10 PC I rarely use. I keep it as a spare machine, in case my primary PC explodes. Both machines are used for development of my website. Both have WAMP servers and point to my test version of teanow5pm.co.uk that is not be confused with the live server version that also exists.

On the spare machine the letsencrypt certificate for teanow5pm.co.uk had expired in July, so I went to my main machine and copied the valid certificate (until Jan 31, 2021) over to the other computer. I remember this worked before in the past, probably before March 2020. I copied the certificate, but it failed. Copying to another machine invalidated the certificate, while force renewing the certificate on the machine produced an error:

[EROR] Account found but no valid Signer could be loaded

A similar error was reported, described and resolved on github here:

Import/export to other server #1131

Unfortunately, importing/exporting, as suggested in the github topic, continued to produce the same error, on the second PC, that is.

So I installed the latest version of win-acme, v2.1.13.978 (x64, ReleasePluggable), deleted the existing certificate, and issued a certificate from scratch. It worked, but I used up my Certificates per Registered Domain limit in the process of trying to fix the error. You are allowed 5 duplicate certificates per week.

On my main machine I likewise installed the latest version of win-acme. The previous version I used was win-acme v2.1.4.710. That version had a bug that prevented Task Scheduler in Windows 10 from automatically renewing certificates:

F:\letsencrypt\wacs.exe --renew --baseuri "https://acme-v02.api.letsencrypt.org/".

I found it necessary to manually renew the certificate instead every few months.

The Task Scheduler bug is apparently fixed in the v2.1.13.978 release.

The renewal task ran as scheduled (daily at 9.00) the next day, and promptly it ran against my exceeded rate limit:

[ERR] Failed to create order: Error creating new order :: too many certificates already issued for exact set of domains: www.teanow5pm.co.uk: see https://letsencrypt.org/docs/rate-limits/

My question here is whether there shouldn't be separate Certificates per Registered Domain limits on a per machine basis. In my opinion, it would make sense, because the two certificates issued are different.

Note that I have had to disable the Task Scheduler task for a week to prevent the error. I hope the renewal task will work again next week without generating an error because the rate limit has been temporarily exceeded this week. At the moment (this week) renewing is impossible. Fortunately, the existing certificate won't lapse until January 31.

Thanks for your reply.

JuergenAuer · December 31, 2020, 1:37pm

Hi @bnicer

that's a waste of resources. You have created 5 identical certificates, that's already bad.

Create one certificate, then use it 60 - 85 days.

Your website works with a Cloudflare certificate. So your internal certificate should be correct, so you have one.

Export that certificate (or it should be already saved on your local system) and import it to your second server.

Multiple servers with the same domain name (one online, others as backup) ->> one certificate is enough.

bnicer · December 31, 2020, 2:00pm

Thanks for the reply. You refer to the live domain. Cloudflare indeed issues certificates that don't interfere with the letsencrypt certificates I use locally.

The five certificates came about because I tried re-using the same certificate locally on two separate machines. Admittedly it was my mistake, but I did not know I had to reissue a brand new letsencrypt certificate, as the Signer was not recognized, for the second machine. Effectively, to use to machines, requires two Signers, and two certificates. This was unnecessary previously where one Signer and a single certificate could be exported or copied between machines for the test site. Why do I need two Signers?

I am waiting for next week. Hopefully the exceeded rate limit of five was the only error. Maybe having two Signers is going to cause a new issue. Is one Signer a limit?

bnicer · December 31, 2020, 3:12pm

Hi @JuergenAuer,

You also recommend, if I understand your suggestion, that I export a Cloudflare cert onto my local machines.

I don't know whether this is practicable or practical. Only CF can renew the cert. That would mean importing it when it's renewed, every time it expires. Also, somehow the CF service -- it caches files -- may be linked to Cloudflare issuing its certificates. I certainly don't want CF caching local files.

An interesting idea though. I wonder if exporting CF certificates to a WAMP environment has ever been done.

bnicer · December 31, 2020, 6:56pm

Update: Following standard procedure for migrating a cert from one server to another according to the win-acme documentation, I was able to copy the recently generated certificate with an expiry on March 31st from the secondary machine onto the primary machine. Without a hitch. As mentioned above, I used up my (five) weekly renewals attempting unsuccessfully to migrate the original cert from the primary machine onto the second machine. As to why the original cert was invalid when copied, I simply don't know. I checked the renewal details.

12/29/2020 00:22:29 - Error - Unable to create order
12/29/2020 00:26:58 - Error - Unable to create order
12/29/2020 00:28:15 - Error - Unable to create order
12/29/2020 00:28:58 - Error - Unable to create order
12/29/2020 00:40:39 - Error - Unable to create order
12/29/2020 11:54:25 - Error - Unable to create order

Which accounts for my five failures. Six here. One by Task Scheduler at 11:54:25.

My best guess is that win-acme v2.1.4 omitted an order for a certificate, which win-acme v2.1.13 was unable to create. That does not explain why the original certificate on the primary machine was always invalid on the secondary machine.

Using win-acme v2.1.13 seems for now to have solved the order problem.

In March we'll see if the renewal is automatic.

JuergenAuer · December 31, 2020, 7:12pm

No. I don't understand your idea, that's not possible. You don't have the private key, so you can't use that certificate on your local machine.

The only thing: I see only your Cloudflare certificate, I don't see a Letsencrypt certificate. But that's expected if you use Cloudflare. Your real configuration is hidden, that's all.

That's expected if you have already created 5 identical certificates. May be you have additional certificates and cron jobs, so unused certificates are created.

bnicer · December 31, 2020, 7:39pm

@JuergenAuer

To the best of my knowledge, no. On Windows, Task Scheduler is supposed to check daily if a certificate is due for renewal and renew it a week or two before it expires. I'm sure the task wasn't running however. Ordinarily it would write a log file in the certificate folder every day. Log files were conspicuously absent. My only renewals were manual -- I think twice, possibly three times, this year since the transition to HTTP / 2.0 in March.

I don't mind having a "new" cert this time versus a "renewed" cert. win-acme v2.1.13 actually creates an order json file placed in a folder.

{"Payload":{"status":"pending","expires":"2021-01-05T00:12:07.063863586Z","notBefore":null,"notAfter":null,"identifiers":[{"type":"dns","value":"www.teanow5pm.co.uk"}],"authorizations":["https://acme-v02.api.letsencrypt.org/acme/authz-v3/9653332165"],"finalize":"https://acme-v02.api.letsencrypt.org/acme/finalize/107715044/6998704452"},"OrderUrl":"https://acme-v02.api.letsencrypt.org/acme/order/107715044/6998704452"}

win-acme 2.1.4 was missing that file and folder. Whatever that means. A bug or my fault.

system · January 30, 2021, 7:40pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Acme-v2 warning vs. acme-v1 Help	7	4204	March 21, 2020
Exchange letsencrypt Help	4	3108	August 21, 2020
ACMEv1 update to ACMEv2 Help	2	790	May 27, 2020
Cannot create order or certificate Help	16	2905	December 10, 2021
Help for Novice Help	7	639	September 26, 2020

Import/export to second machine using win-acme

Related topics