Impossible de révoquer le certificat

Je peux lire des réponses en Anglais : Oui

Mon nom de domaine est : safescreen.atchikservices.com

J’ai exécuté cette commande : ./certbot-auto certonly --manual --preferred-challenges=http -dsafescreen.atchikservices.com -d nonexistent.safescreen.atchikservices.com

Elle a produit cette sortie :
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
An unexpected error occurred:
There were too many requests of a given type :: Error creating new order :: too many certificates already issued for exact set of domains: safescreen.atchikservices.com: see https://letsencrypt.org/docs/rate-limits/
Please see the logfiles in /var/log/letsencrypt for more details.

Mon serveur Web est (inclure la version) : Apache

Le système d’exploitation sur lequel mon serveur Web s’exécute est (version incluse) : CentOS 7

Mon hébergeur, le cas échéant, est : OVH

Je peux me connecter à un shell root sur ma machine (oui ou non, ou je ne sais pas) : oui, en SSH

J’utilise un panneau de configuration pour gérer mon site (non, ou fournit le nom et la version du panneau de configuration) : Non.

Question :slightly_smiling_face:

Hi,

As my certificate wasn’t renewed, and certbot didn’t want to renew it, I tried to delete cert files and ask for a new one, but I hit the limitation. I don’t really know for how long the limitation is blocking me but, as its the certificate for our webservice production server, it’s actually blocking our activity. I obviously tried to revoke the cert, but it hits the same limit. Is there a way to proceed or someone to contact and prove our identity to revoke the cert or unlock our limitation ?

Regards,
Mathieu

1 Like

Revocation does not affect rate limits.

Apart from waiting, the only way to circumvent the rate limit would be to add a third domain name to your certificate request (even if you do not need it).

2 Likes

Hi @_az and thanks for your answer !

As I deleted the files, I have to ask for a new cert to be able to revoke it (it’s what I understood, maybe I’m totally wrong), that’s why I’m hitting the rate limit again.

Could you explain me how I can revoke ? Or maybe how I can add a third domain to my request ?

Thanks again !

1 Like

Revocation is not a way to avoid rate limits. In your situation, revocation will not help you.

Yes, you can just add to your command:

-d third-domain.safescreen.atchikservices.com

You will need to complete the challenge for this domain, so you will need to choose a domain that exists, or create a new one.

1 Like

Thanks again for your answer, does the third domain has to be a sudomain of my main domain ?

No, it can be a different Registered Domain name, if you want.

The purpose of the third domain on the certificate, is so that the certificate is unique (and therefore not a duplicate counted for rate limits).

1 Like

Ok, thanks for your answers ! I just give you what I did, maybe you’ll spot something wrong before I run the challenge :
As root I executed this command :

./certbot-auto certonly --manual --preferred-challenges=dns -d safescreen.atchikservices.com -d intranet.atchik-services.net

got this :

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for intranet.atchik-services.net


NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you’re running certbot in manual mode on a machine that is not
your server, please ensure you’re okay with that.

Are you OK with your IP being logged?


(Y)es/(N)o: y


Please deploy a DNS TXT record under the name
_acme-challenge.intranet.atchik-services.net with the following value:

FBgQOf-wNDIKO4v8-PC6C-3c11QP4UJOWQ0t5OI-QyA

Before continuing, verify the record is deployed.


Press Enter to Continue

went to my DNS zone admin and added the entry :

I’m now waiting for the deployment to press Enter to run the challenge. Is everything right to you @_az ?

Thanks again

Yes, it looks correct.

1 Like

Correct me if I’m wrong @_az , as far as I know, to check deployment I have to go to

_acme-challenge.intranet.atchik-services.net

And wait for it to return the DNS entry value, right ?

The way I checked it was:

$ dig @dns14.ovh.net +noall +answer _acme-challenge.intranet.atchik-services.net txt
_acme-challenge.intranet.atchik-services.net. 86400 IN TXT "FBgQOf-wNDIKO4v8-PC6C-3c11QP4UJOWQ0t5OI-QyA"
1 Like

I really have to thank you @_az, thanks to you we are back online, thanks a lot !!

1 Like