Newbie question/seeking advice


#1

Hello folks, Although I have some technical proficiency my experience and understanding of SSL/TLS certificates leaves a lot to be desired and specifically how best to use the Let’s Encrypt service. I am a big fan of what you are trying to do and really want you to succeed. Now to my problem.

I have a domain (edlivered.net) that I was successfully able to get a certificate for using the letsencrypt-auto client. A few week after obtaining that certificate we added two more subdomains, i.e. demo1.edelivered.net and demo2.edelivered.net and when I tried to add those domains I guess I messed things up because now I’m getting the “There were too many requests of a given type :: Error creating new cert :: Too many certificates already issued” warning/ error. Now I certainly understand the need to limit requests, but I would like to understand better what happened. I tried to add the new subdomains to the certificate like so:

/letsencrypt-auto --apache -d edelivered.net, demo1.edelivered.net, demo2.edelivered.net

but I got the following error: Requested domain is not a FQDN

so after that I tried to add them separately but ran into other errors due to problems on my end and after messing everything up royally (on my end) I decided to start clean and deleted all the certificates I directories I currently had. When I tried again I started getting the "There were too many requests " error.

It is my understanding that I have to wait seven days before being able to try again and that’s fine. What I’m trying to understand is why I got the “Requested domain is not a FQDN” error and what is the recommended way to add subsequent subdomains to an existing domain certificate? I understand there is a limit to the number of subdomains on one certificate and believe that number is 100, is that correct?

Any help would be greatly appreciated.

Best Regards,

Daryl Williams


#2

Hi,

If you used the exact command that you mentioned above, the problem is the use of commas together with spaces in the list of domains. You have to use one or the other to delimit the domain names (or, alternatively, a separate -d for each individual domain). The error you’re seeing is due to the client interpreting the comma as part of the domain name, where it would not be permitted (because it sees the list of domain names as delimited by the spaces).


#3

Schoen, Thanks so much for your quick and informative response. Much appreciated! Is there some way to query letsencrypt or wherever to find out what certificates I have? I think I may have requested certificates for non-existant domains due to my apache mis-configuration and I’m not sure what I’ve got.

Thanks again,

Daryl


#4

Hello @daryl,

Yes, every cert issued by Let’s Encrypt is sent to a Certificate Transparency Log so you could check your issued domains seeking that logs in https://crt.sh

Anyway, these are your non expired certificates:

Cheers,
sahsanu


#5

Hi sahsanu, Thank you very much for your response, it’s good to know about https://crt.sh.

Regards,

Daryl


#6

What are you using to generate that list?


#7

Hello @jmorahan,

It’s just a simple script I made to check domains against crt.sh. If you are interested let me know but I’ll need a few days to clean up the script ( too much garbage inside :wink: ).

Cheers,
sahsanu


#8

Hi @sahsanu, I also would be interested in your script if and when you are ready to share it.

Thanks.


#9

@daryl, sure, I’ll notice you in this thread when available :wink:


#10

Hello @daryl @jmorahan,

Sorry for the delay but I’ve been a bit bussy :sweat:.

The script name is lectl and I’ve uploaded it to github https://github.com/sahsanu/lectl

Here some usage instructions and a few screenshots explaining the options.

Usage:

lectl [-h|--help] [-v|--version] [-l|--extraline] [-s|--sans] [-e|--expired] [-u|--utc] domain

Options:

-h | --help      [Default: false] shows the help file.

-v | --version   shows the script version.

-l | --extraline [Default: false] adds extra line separator between found
                 certificates (when there are several certs with several
                 sans adding this extra line it's easier to read the output).

-s | --sans      [Default: false] shows all domains included in the
                 certificate as SANs. If you don't use this option you will
                 only see the Common Name.

-e | --expired   [Default: false] shows all certs issued for the specified
                 domain, including the certs that are already expired.

-u | --utc       [Default: false] shows the dates in UTC (GMT) instead of
                 your machine time zone.

Examples:

    lectl letsencryt.org
    lectl -s -e -u -l letsencryt.org
    lectl -seul letsencryt.org
    lectl -luse letsencryt.org
    lectl -su --extraline letsencryt.org
    lectl -u letsencryt.org -es
    ...and so on

Example using lectl without options:

Example using lectl with option -e. By default the script only shows non expired certs so using this option it will show expired certs too.

Example using lectl with option -s. Using this option will show all the domains (SANs) included in cert.

Example using lectl with options -seu. In this case is a combination of -s and -e but in this case, using -u will display the dates using UTC instead of machine defined time zone.

Example using lectl with options -seul. In this case, we add option -l which add an extra line between certificates.

And last example, lectl showing a certificate where the domain has hit the rate limit.

Is not a great script because my programming skills sucks but it does what I want so I hope it could be useful to you too :blush:.

Cheers,
sahsanu


#11

Awesome, thanks for sharing this!


#12

@sahsanu Thanks a lot for sharing your script. I’ve already started to use it!


#13

Hello again @daryl @jmorahan,

Jus to inform you that I’ve updated the script lectl to version 0.3. It now supports Let's Encrypt Authority X1 and the new CA Let's Encrypt Authority X3.

Cheers,
sahsanu


#14

Hi @sahsanu, Thanks for the update!