My cert will be expired soon but reach the renew limit

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: megaease.com

I ran this command: /snap/bin/certbot renew

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/megaease.com.conf


Renewing an existing certificate for megaease.com and www.megaease.com
Failed to renew certificate megaease.com with error: urn:ietf:params:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new order :: too many certificates (5) already issued for this exact set of domains in the last 168 hours: megaease.com,www.megaease.com: see Rate Limits - Let's Encrypt

My web server is (include version): nginx 1.18

The operating system my web server runs on is (include version): Ubuntu 20.04

My hosting provider, if applicable, is: AWS

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.21.0

I don't understand: how can your certificate expire when you've renewed it five times this past 7 days? That's a contradictio in terminis..

2 Likes

@x1024 Starting in late Oct you are renewing your certificate almost every day. See:
https://crt.sh/?Identity=megaease.com&deduplicate=Y

That is too frequent. Would you post the contents of the file in the /etc/letsencrypt/renewal/ folder for this domain?

That said, your domain megaease.com is using a certificate from Cloudflare which expires in 229 days. What are you using the Lets Encrypt certificate for?
SSL Checker

2 Likes

Did you create a cron type job to renew your cert(s)?
If so, please show it.

1 Like

Thanks, guys.

I have no idea why the renewal is so frequent almost every day. I need to do some investigation.

the cronjob as below, the renewal happened every month.

0 0 1 * * /snap/bin/certbot renew --force-renewal
5 0 1 * * /usr/sbin/service nginx restart

Yes, I renewed that manually but didn't work, because the certbot always report I need to wait for 168 hrs. So, I just want to try if the limitation would be removed.

But that manual renewal is not necessary, as you have PLENTY of certificates already issued from before that attempt. So there is no need for the limits to be removed. Just use the most recently issued certificate.

Heck, there are two certificates issued today!

Well, there's your problem. Why is there a --force-renewal option there?

2 Likes

@Osiris Agree should not use force-renewal but the cron of 0 0 1 * * should only run on day 1 of each month at 00:00. So, there must be another place where these are being renewed.

2 Likes

Maybe there's also a systemd timer?

2 Likes

Maybe (but with a force?). @x1024 please show:

sudo systemctl list-timers

Update: Also, you should review the logs in /var/log/letsencrypt There is one log file each time certbot runs. You should see many log files. Try to match the times of these logs to other events in your system like server reboots, other cronjobs, and similar. This may give clues as to what is renewing your certs so often.

2 Likes

At least four problems there--the first, as already mentioned, is that --force-renewal should pretty much never be part of a scheduled task; the second is that you're only running the renewal task monthly. The third problem is that you're running a separate job to restart nginx (it should be done as a --deploy-hook to certbot); the fourth is that you're restarting nginx rather than reloading it (though the brief interruption in service may not matter in your use case). Run the renewal (at least) daily, without the --force-renewal. But that still doesn't explain daily (or more) cert issuance.

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.