Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is: megaease.com
I ran this command: /snap/bin/certbot renew
It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewing an existing certificate for megaease.com and www.megaease.com
Failed to renew certificate megaease.com with error: urn:ietf:params:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new order :: too many certificates (5) already issued for this exact set of domains in the last 168 hours: megaease.com,www.megaease.com: see Rate Limits - Let's Encrypt
My web server is (include version): nginx 1.18
The operating system my web server runs on is (include version): Ubuntu 20.04
My hosting provider, if applicable, is: AWS
I can login to a root shell on my machine (yes or no, or I don't know): Yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.21.0
That is too frequent. Would you post the contents of the file in the /etc/letsencrypt/renewal/ folder for this domain?
That said, your domain megaease.com is using a certificate from Cloudflare which expires in 229 days. What are you using the Lets Encrypt certificate for? SSL Checker
Yes, I renewed that manually but didn't work, because the certbot always report I need to wait for 168 hrs. So, I just want to try if the limitation would be removed.
But that manual renewal is not necessary, as you have PLENTY of certificates already issued from before that attempt. So there is no need for the limits to be removed. Just use the most recently issued certificate.
Heck, there are two certificates issued today!
Well, there's your problem. Why is there a --force-renewal option there?
@Osiris Agree should not use force-renewal but the cron of 0 0 1 * * should only run on day 1 of each month at 00:00. So, there must be another place where these are being renewed.
Update: Also, you should review the logs in /var/log/letsencrypt There is one log file each time certbot runs. You should see many log files. Try to match the times of these logs to other events in your system like server reboots, other cronjobs, and similar. This may give clues as to what is renewing your certs so often.
At least four problems there--the first, as already mentioned, is that --force-renewal should pretty much never be part of a scheduled task; the second is that you're only running the renewal task monthly. The third problem is that you're running a separate job to restart nginx (it should be done as a --deploy-hook to certbot); the fourth is that you're restarting nginx rather than reloading it (though the brief interruption in service may not matter in your use case). Run the renewal (at least) daily, without the --force-renewal. But that still doesn't explain daily (or more) cert issuance.