Cert is due for renewal, auto-renewing…
Renewing an existing certificate
/usr/lib/python2.7/dist-packages/acme/jose/jwa.py:110: CryptographyDeprecationWarning: signer and verifier have been deprecated. Please use sign and verify instead.
signer = key.signer(self.padding, self.hash)
Performing the following challenges:
http-01 challenge for gallifrey99.midcoip.net
Waiting for verification…
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0002_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0002_csr-certbot.pem
Attempting to renew cert from /etc/letsencrypt/renewal/gallifrey99.midcoip.net.conf produced an unexpected error: urn:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new cert :: too many certificates already issued for exact set of domains: gallifrey99.midcoip.net: see https://letsencrypt.org/docs/rate-limits/. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/gallifrey99.midcoip.net/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)
@DrMac, have you deleted files from those two directories? If not, it sounds like Certbot -- or this Certbot -- wasn't what issued the last score or so of certificates...
Still, there are lots of valid certificates, issued from June 5 to yesterday (or possibly even more recently). Do you know what's creating them? Certbot? A different ACME client? A different computer?
Could /etc/letsencrypt/ have been reverted to an older version? Like if certificates are getting issued in temporary Docker environments and subsequently erased, or if the disk failed and the computer was restored from a month-old backup...?
When was the last time you tried to renew it? As far as the logs on crt.sh are aware, only 2 duplicate certificates have been issued within the last week, so you can still issue 3 more. But its information can be a little out-of-date.
Unfortunately the crt.sh backlog is still massive (but the ingester is being rewritten so hopefully it will be fixed soon), so the UI is not accurate. It seems like the domain is actually rate limited.
Apart from that, it may be worth checking out whether you can upgrade from Certbot 0.10 to a recent version, there are a tonne of missing bugfixes in the interval.
I’ve deleted the files from the directory & tried a few times with the same errors.
I’m not sure what would be issuing new certificates… this is running on RPI3, Openhabian.
I have not restored any backups.
Last attempt (other than today) to renew was when I was testing…2 1/2 months ago.
there are a lot listed there. here are the first few
/var/log/letsencrypt/letsencrypt.log.39:2018-06-27 17:26:41,520:INFO:certbot.auth_handler:http-01 challenge for gallifrey99.midcoip.net
/var/log/letsencrypt/letsencrypt.log.11:2018-07-04 21:17:34,073:INFO:certbot.auth_handler:http-01 challenge for gallifrey99.midcoip.net
/var/log/letsencrypt/letsencrypt.log.44:2018-06-25 05:32:11,548:INFO:certbot.auth_handler:http-01 challenge for gallifrey99.midcoip.net
/var/log/letsencrypt/letsencrypt.log.84:2018-06-05 05:15:58,287:INFO:certbot.auth_handler:http-01 challenge for gallifrey99.midcoip.net
/var/log/letsencrypt/letsencrypt.log.56:2018-06-19 05:00:49,192:INFO:certbot.auth_handler:http-01 challenge for gallifrey99.midcoip.net
/var/log/letsencrypt/letsencrypt.log.203:2018-04-07 21:18:17,777:INFO:certbot.auth_handler:http-01 challenge for gallifrey99.midcoip.net
/var/log/letsencrypt/letsencrypt.log.47:2018-06-23 17:11:41,747:INFO:certbot.auth_handler:http-01 challenge for gallifrey99.midcoip.net
/var/log/letsencrypt/letsencrypt.log.219:2018-04-05 02:18:05,834:INFO:certbot.auth_handler:http-01 challenge for gallifrey99.midcoip.net
/var/log/letsencrypt/letsencrypt.log.58:2018-06-18 05:38:06,503:INFO:certbot.auth_handler:http-01 challenge for gallifrey99.midcoip.net
/var/log/letsencrypt/letsencrypt.log.81:2018-06-06 17:18:41,997:INFO:certbot.auth_handler:http-01 challenge for gallifrey99.midcoip.net
/var/log/letsencrypt/letsencrypt.log.65:2018-06-14 17:10:39,046:INFO:certbot.auth_handler:http-01 challenge for gallifrey99.midcoip.net
/var/log/letsencrypt/letsencrypt.log.16:2018-07-04 20:58:26,049:INFO:certbot.auth_handler:http-01 challenge for gallifrey99.midcoip.net
/var/log/letsencrypt/letsencrypt.log.38:2018-06-28 05:30:26,414:INFO:certbot.auth_handler:http-01 challenge for gallifrey99.midcoip.net
/var/log/letsencrypt/letsencrypt.log.197:2018-04-10 03:06:23,287:INFO:certbot.auth_handler:http-01 challenge for gallifrey99.midcoip.net
/var/log/letsencrypt/letsencrypt.log.77:2018-06-08 17:44:59,287:INFO:certbot.auth_handler:http-01 challenge for gallifrey99.midcoip.net
/var/log/letsencrypt/letsencrypt.log.14:2018-07-04 21:05:29,389:INFO:certbot.auth_handler:tls-sni-01 challenge for gallifrey99.midcoip.net
/var/log/letsencrypt/letsencrypt.log.35:2018-06-29 17:34:04,250:INFO:certbot.auth_handler:http-01 challenge for gallifrey99.midcoip.net
/var/log/letsencrypt/letsencrypt.log.73:2018-06-10 17:26:06,653:INFO:certbot.auth_handler:http-01 challenge for gallifrey99.midcoip.net
/var/log/letsencrypt/letsencrypt.log.21:2018-07-04 20:17:14,732:INFO:certbot.auth_handler:http-01 challenge for gallifrey99.midcoip.net
this seems like maybe my Rpi is trying to auto renew then?
It may also help to post the full contents of /var/log/letsencrypt/letsencrypt.log.38. If Certbot crashed before it saved the certificate to the filesystem, it woul be visible here.
Otherwise, @mnordhoff’s theory about you inadvertently deleting the certificates would seem to be likely.
I remember when I was first trying to set this up it installed several times & I believe I deleted some items that were duped: gallifrey99.midcoip.net-0001 & gallifrey99.midcoip.net-0002
The live/gallifrey99.midcoip.net/ symlinks are pointing to the archive/gallifrey99.midcoip.net-0002/ directory. Certbot saves the new certificates to archive/gallifrey99.midcoip.net/ but can't find them again because the symlinks are pointing elsewhere. So you're still using the older certificate, and Certbot is renewing repeatedly and unnecessarily and issuing dozens of duplicate certificates.
Take a backup of /etc/letsencrypt/ and fix the symlinks. Unless I made a typo, it should be:
(Edit: I did make a mistake. I wrote "../../gallifrey99.midcoip.net/" instead of "../../archive/gallifrey99.midcoip.net/". Fixed now.)
In future, you can use "sudo certbot delete --cert-name example.com-0001" to delete all of a certificate's files. (I'm not certain Certbot 0.10.2 supports it, though.)
You can also use e.g. "certbot --apache --cert-name example.com -d example.com -d www.example.com" to issue a new certificate and replace an existing one even if Certbot doesn't want to (because it's not a superset of the existing example.com certificate's names). Again, I'm not certain 0.10.2 supports that option.
Certbot doesn't have a built-in command to rename a certificate. I'd suggest avoiding renaming if possible... If you have to rename something, you need to adjust the symlinks in /etc/letsencrypt/live/ and possibly rename and edit the conf file in /etc/letsencrypt/renewal/.
target /etc/letsencrypt/gallifrey99.midcoip.net/cert2.pem of symlink /etc/letsencrypt/live/gallifrey99.midcoip.net/cert.pem does not exist
Renewal configuration file /etc/letsencrypt/renewal/gallifrey99.midcoip.net.conf is broken. Skipping.
No renewals were attempted.
Additionally, the following renewal configuration files were invalid:
/etc/letsencrypt/renewal/gallifrey99.midcoip.net.conf (parsefail)
0 renew failure(s), 1 parse failure(s)