Increase the limit for my domain

enpiotr · November 13, 2016, 12:53pm

I ran this command:
I’m student who want to develop web application with webRTC (https://freeswitch.org/confluence/display/FREESWITCH/WebRTC)
I used https://www.sslforfree.com to create a new cert. I crossed the limit. I want to ask for to increase the limit for my domain.

My domain is:
http://nexthub.xyz/

It produced this output:
Certificate signature failed. If you supplied your own CSR make sure the
domains on it match what you put on SSLForFree. If there is a rate
limiting error at the end of this paragraph certificates per Domain is currently 5 per 7 days. Try asking Lets Encrypt
to increase the limit or wait 7 days. Rate limits should increase in
the near future. {
“type”: “urn:acme:error:malformed”,
“detail”: “Error parsing certificate request. Extensions in the CSR
marked critical can cause this error:
https://github.com/letsencrypt/boulder/issues/565”,
“status”: 400
}
My operating system is (include version):
CentoOs

My web server is:
Apache

My hosting provider, if applicable, is:
Azure
I can login to a root shell on my machine (yes or no, or I don’t know):
Yes

serverco · November 13, 2016, 1:24pm

For development purposes you should use the test / staging server - as this doesn’t have the restrictive limits

pfg · November 13, 2016, 3:11pm

Note the if in “If there is a rate limiting error at the end of this paragraph […]”. You’re not running into a rate limiting error, and in fact I don’t see any issued certificates for your domain when I search on https://crt.sh/.

Judging by the error message, it seems like there’s an issue with the CSR you generated. If you could share the steps you took to generate that CSR and/or the CSR itself (no worries, CSRs don’t contain any secret information), we can probably figure out what the problem is.

enpiotr · November 14, 2016, 8:02am

Hi,
In a first step, i used:
-----BEGIN CERTIFICATE REQUEST-----
MIIE/TCCAuUCAQAwgYUxCzAJBgNVBAYTAlBMMQ0wCwYDVQQIEwRXTEtQMQ8wDQYD
VQQHEwZQT1pOQU4xDDAKBgNVBAoTA1NTTDEMMAoGA1UECxMDU1NMMRQwEgYDVQQD
EwtuZXh0aHViLnh5ejEkMCIGCSqGSIb3DQEJARYVd2VibWFzdGVyQG5leHRodWIu
eHl6MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAxTYDKzfeTEiawWtr
8bS4RE+m83kPYlrPyqjyRzsjXVQ9VrLhxhSi2+NZeelWayTFLrG9XqqjSSYeTaqX
VeZyFsXjMgoDXZyb+T0Z0SUQkRb4XtETmFJ/5kEPWiBidsEH3uMCCNlBJm2TG9RF
YJ5mjlYqMhGwq2vaFoc9tnbsBi523U0WuIH6FHmhf8c2kopF9DL42vim6IxHfuRE
cqXJG7BCwXbf9OTvGmckub027HLkvTVPnwMRrT6jfrfEuFYkKD6bE85Bu3tguhs0
YlK5zudQc6zTBLm7dK/CyevC/I0LNPCiho8keLPMJ3lo6GUM1EZFsb10mSzXIiPF
N5xOoEx1NzC1K9rINS4r5xmkoLUh/K5EnXWCsrb9TfKWqeo1KFR6nMkCZINAOX0T
lfLt8nBGn+XBjnZIJTB+smJWhmHmtWu2fhwajmmOSkLFeFYeUCr5OasH8JxlGcGh
NJbZKYOm01hvuTHdLZEWPDCqTRKMZg5LdC3jq0EjExdSoJoB0d+pnowiRMWJv5K2
NGiYXrRtlOOunLrh4ux+vfpOJhq6r4Q7So5aeQTkPXnx6shnZPXt+rLnSDh0/dcj
gKNYOWzE+dixtOok1x0xJKb7Sja2Fap1dJcdoPIijuiDRfxR4IAuTOfLMzxYgapJ
GNxFlMT0ZdJRqzMm+TrOykevPqsCAwEAAaAyMDAGCSqGSIb3DQEJDjEjMCEwEQYJ
YIZIAYb4QgEBBAQDAgZAMAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQEFBQADggIB
ALVj6Jwa48o3cbJ37dupwK2xWIJFOQ3lUV7e6HCkZiVs3C81CnDF2I4eU7G6KlFj
VbfwLx22fyWnKHSg95S0anm7a2XkRlHUByMGUuN+Qqw51wIDrzsfTN6HXSzKpEVt
cW99jsu/1kipOPYdterRi8suxPyvaxaxYxhyR6vcquxOAPz08D6QGe97i2KRgcAP
DkyYDTzlHtmwMno2V38FS3II27JdlLogzLdsEcbY5pugFLZ1ldDXeN5U7UQgae50
68S2LP+LdawGfAnY0iQTrRK+w/57Z5nqWk2OATcIOSeBQe/zgK9D5UycfULdcJoi
zT3eFTNGasO5Opc3oHgL4FYNIYwh7G4eX5rTrQbM5d7q7FI5g6ZTH8xR1XqYRz4v
wqlzcAQaB2xqkW9TsjiD8YxG5nRFRUSXdUfRynv+aTTpvPxmrBquTLQ2ES3MKpSM
qou8aRyxJx8tNnTyyqZvXKatSq2OyVoJFyawUnUMaQkNqUKVCtgSmRBKEiuXE8YA
QU9cYersnYABEGa9hZ4IjjZSNwuI5hIQCU1kcnsegC2H0yJ2YVMj6a25AjNCRpjJ
koCKrIsB7fAGMiZW3f47adYjm5zujMowS2MuIvfKbKzfAU4uGoY2uk41zvMplGwp
nA2JIp4DHWIIFQg7kTQfsgT4axwS6bBDV+pJxsiHgnTT
-----END CERTIFICATE REQUEST-----

In a second step, i used:
MIIE/TCCAuUCAQAwgYUxCzAJBgNVBAYTAlBMMQ0wCwYDVQQIEwRXTEtQMQ8wDQYD
VQQHEwZQT1pOQU4xDDAKBgNVBAoTA1NTTDEMMAoGA1UECxMDU1NMMRQwEgYDVQQD
EwtuZXh0aHViLnh5ejEkMCIGCSqGSIb3DQEJARYVd2VibWFzdGVyQG5leHRodWIu
eHl6MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAxTYDKzfeTEiawWtr
8bS4RE+m83kPYlrPyqjyRzsjXVQ9VrLhxhSi2+NZeelWayTFLrG9XqqjSSYeTaqX
VeZyFsXjMgoDXZyb+T0Z0SUQkRb4XtETmFJ/5kEPWiBidsEH3uMCCNlBJm2TG9RF
YJ5mjlYqMhGwq2vaFoc9tnbsBi523U0WuIH6FHmhf8c2kopF9DL42vim6IxHfuRE
cqXJG7BCwXbf9OTvGmckub027HLkvTVPnwMRrT6jfrfEuFYkKD6bE85Bu3tguhs0
YlK5zudQc6zTBLm7dK/CyevC/I0LNPCiho8keLPMJ3lo6GUM1EZFsb10mSzXIiPF
N5xOoEx1NzC1K9rINS4r5xmkoLUh/K5EnXWCsrb9TfKWqeo1KFR6nMkCZINAOX0T
lfLt8nBGn+XBjnZIJTB+smJWhmHmtWu2fhwajmmOSkLFeFYeUCr5OasH8JxlGcGh
NJbZKYOm01hvuTHdLZEWPDCqTRKMZg5LdC3jq0EjExdSoJoB0d+pnowiRMWJv5K2
NGiYXrRtlOOunLrh4ux+vfpOJhq6r4Q7So5aeQTkPXnx6shnZPXt+rLnSDh0/dcj
gKNYOWzE+dixtOok1x0xJKb7Sja2Fap1dJcdoPIijuiDRfxR4IAuTOfLMzxYgapJ
GNxFlMT0ZdJRqzMm+TrOykevPqsCAwEAAaAyMDAGCSqGSIb3DQEJDjEjMCEwEQYJ
YIZIAYb4QgEBBAQDAgZAMAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQEFBQADggIB
ALVj6Jwa48o3cbJ37dupwK2xWIJFOQ3lUV7e6HCkZiVs3C81CnDF2I4eU7G6KlFj
VbfwLx22fyWnKHSg95S0anm7a2XkRlHUByMGUuN+Qqw51wIDrzsfTN6HXSzKpEVt
cW99jsu/1kipOPYdterRi8suxPyvaxaxYxhyR6vcquxOAPz08D6QGe97i2KRgcAP
DkyYDTzlHtmwMno2V38FS3II27JdlLogzLdsEcbY5pugFLZ1ldDXeN5U7UQgae50
68S2LP+LdawGfAnY0iQTrRK+w/57Z5nqWk2OATcIOSeBQe/zgK9D5UycfULdcJoi
zT3eFTNGasO5Opc3oHgL4FYNIYwh7G4eX5rTrQbM5d7q7FI5g6ZTH8xR1XqYRz4v
wqlzcAQaB2xqkW9TsjiD8YxG5nRFRUSXdUfRynv+aTTpvPxmrBquTLQ2ES3MKpSM
qou8aRyxJx8tNnTyyqZvXKatSq2OyVoJFyawUnUMaQkNqUKVCtgSmRBKEiuXE8YA
QU9cYersnYABEGa9hZ4IjjZSNwuI5hIQCU1kcnsegC2H0yJ2YVMj6a25AjNCRpjJ
koCKrIsB7fAGMiZW3f47adYjm5zujMowS2MuIvfKbKzfAU4uGoY2uk41zvMplGwp
nA2JIp4DHWIIFQg7kTQfsgT4axwS6bBDV+pJxsiHgnTT

Piotr

serverco · November 14, 2016, 9:06am

Have a look at https://community.letsencrypt.org/t/problem-with-csr-for-only-one-dns-name/

Ideally you should be using the SAN’s (not providing everything on the Subject - Let’s encrypt can’t validate information such as country and city codes).

You should also sign it with sha-256 rather than sha-1 I believe.

What is your operating system ? how are you generating the csr ?

enpiotr · November 14, 2016, 9:43am

CentOS 6

My scenario:
wget http://files.freeswitch.org/downloads/ssl.ca-0.1.tar.gz
tar zxfv ssl.ca-0.1.tar.gz
cd ssl.ca-0.1/
perl -i -pe ‘s/md5/sha256/g’ *.sh
perl -i -pe ‘s/1024/4096/g’ *.sh
./new-root-ca.sh
./new-server-cert.sh nexthub.xyz

serverco · November 14, 2016, 10:11am

OK, so that's using openssl.
I'd suggest creating a basic openssl.conf file

# minimal openssl.cnf file
distinguished_name  = req_distinguished_name
[ req_distinguished_name ]
[v3_req]
[v3_ca]
[SAN]
subjectAltName=DNS:nexthub.xyz

create a domain key

openssl genrsa 4096 > domain.key

then create the csr

openssl req -new -sha256 -key domain.key -subj "/" -reqexts SAN -config openssl.conf > domain.csr

system · December 14, 2016, 10:11am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.