Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
I ran this command:
Create a docker container. The YML config is below and its showing the Letsencrypt parameters
swag:
image: linuxserver/swag #swag is the replacement for letsencrypt (see link below)
container_name: swag
cap_add:
- NET_ADMIN
environment:
- PUID=1004 #change PUID if needed
- PGID=104 #change PGID if needed
- TZ=Europe/London # change Time Zone if needed
- URL=example.com
- SUBDOMAINS=wildcard
- VALIDATION=http
- EMAIL=nmax@2email.xyz # define email; required to renew certificate
volumes:
- /srv/....
ports:
- 444:443
- 81:80
restart: unless-stopped
It produced this output:
Obtaining a new certificate
Performing the following challenges:
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.
My web server is (include version):
The operating system my web server runs on is (include version):
DEBIAN, Docker, NGINX
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know):
yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
I am now running into a limitation (pls see below error). This is only because I have been re-installing the docker container several times for debugging purposes of Nextcloud. Is there a way to reset this?
Obtaining a new certificate
An unexpected error occurred:
There were too many requests of a given type :: Error creating new order :: too many certificates already issued for exact set of domains: example.com: see Rate Limits - Let's Encrypt - Free SSL/TLS Certificates
Please see the logfiles in /var/log/letsencrypt for more details.
IMPORTANT NOTES:
Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container
Continually acquiring duplicate certificates is not a good idea. Unfortunately, certbot does not make things particularly easy to backup and restore certificates... yet. I've made a recommendation for a future release of certbot that could help tremendously for your type of environment. For now, you can create an archive (like a tar) of the entire /etc/letsencrypt directory structure (when it's working properly) then restore that. Adding --keep to your certbot commands will result in your certificates only being updated within 30 days of expiration and thus prevent acquisition of duplicate certificates (and hitting the rate limit below).
By the way, it appears that you originally might have intended to create an apex (example.com) and wildcard (*.example.com) certificate (A&W certificate). To do this, you will need to use either --manual --preferred-challenges dns or a DNS plugin, if possible, as @JuergenAuer mentioned above, and add -d "example.com,*.example.com" to your certbot command. You can generate such a certificate now without worrying about the rate limit, but be certain to add --keep then back everything up.
Renewals are treated specially: they don’t count against your Certificates per Registered Domain limit, but they are subject to a Duplicate Certificate limit of 5 per week. Note: renewals used to count against your Certificate per Registered Domain limit until March 2019, but they don’t anymore. Exceeding the Duplicate Certificate limit is reported with the error message too many certificates already issued for exact set of domains .
A certificate is considered a renewal (or a duplicate) of an earlier certificate if it contains the exact same set of hostnames, ignoring capitalization and ordering of hostnames. For instance, if you requested a certificate for the names [ www.example.com , example.com ], you could request four more certificates for [ www.example.com , example.com ] during the week. If you changed the set of hostnames by adding [ blog.example.com ], you would be able to request additional certificates.
Renewal handling ignores the public key and extensions requested. A certificate issuance can be considered a renewal even if you are using a new key.
You can find every certificate you've had issued using the link below. This will let you know if you've successfully generated a certificate. If you delete the private key for a certificate, you will be unable to use that certificate in the future.
thanks for your detailed response. THe problem I have right now is that I launched the swag container and it complains about the limitation. So I currently have no working certificate inside the container. What can I do? Can I delete the old certificates mentioned in your list above and then re-create a certificate via container?
Keep in mind that is a list of certificates that have been generated at some point in time. You may not still possess all (or any) of those certificates. As long as you no longer need a certificate, it is safe to delete it from your device(s). In particular, once you delete the private key corresponding to a certificate, you will no longer be able to use that certificate. There should be no problem creating a new certificate. Just be careful of the rate limits.
If you try creating the A&W certificate I previously described (making certain to use --keep), I can guarantee you won't get that error right now. Make sure the certificate includes both example.com and *.example.com.
To safely delete a certificate with certbot:
Use certbot certificates to determine the name of the certificate to be deleted
What do I need to change in the Swag container to request an A&W cert? This is my YML file below:
swag:
image: linuxserver/swag #swag is the replacement for letsencrypt (see link below)
container_name: swag
cap_add:
- NET_ADMIN
environment:
- PUID=1004 #change PUID if needed
- PGID=1004 #change PGID if needed
- TZ=Europe/London # change Time Zone if needed
- URL=example.com
thanks Griffin but the DNS validation is complicated in docker. I would need to switch my DNS provider. Is it not possible to delete old certificates and then re-create new ones with validation HTTP?
You cannot generate a wildcard certificate with http validation. Deleting certificates won't change the history of the certificates you've already generated, which is what Let's Encrypt uses to impose rate limits. Hence why you don't want to just keep generating and deleting certificates.
Absolutely. If you still have its private key. That's really the key, no pun intended. You can always download any of your previously generated certificates from crt.sh.
Essentially it comes down to what a few people have said.
Secrets should be managed outside of a docker container and passed in via Volume Mounts or via Environmental Variables.
My suggestion would be to have the docker host systems manage let's encrypt and mount the let's encrypt as a volume inside your container. That way you could have multiple containers using one current SSL certificate instead of trying to maintain multiple instance of let's encrypt and certificates.
This should help with the too main requests for a given domain issue.
Make sure the certificate includes both