Hello folks, Although I have some technical proficiency my experience and understanding of SSL/TLS certificates leaves a lot to be desired and specifically how best to use the Let’s Encrypt service. I am a big fan of what you are trying to do and really want you to succeed. Now to my problem.
I have a domain (edlivered.net) that I was successfully able to get a certificate for using the letsencrypt-auto client. A few week after obtaining that certificate we added two more subdomains, i.e. demo1.edelivered.net and demo2.edelivered.net and when I tried to add those domains I guess I messed things up because now I’m getting the “There were too many requests of a given type :: Error creating new cert :: Too many certificates already issued” warning/ error. Now I certainly understand the need to limit requests, but I would like to understand better what happened. I tried to add the new subdomains to the certificate like so:
but I got the following error: Requested domain is not a FQDN
so after that I tried to add them separately but ran into other errors due to problems on my end and after messing everything up royally (on my end) I decided to start clean and deleted all the certificates I directories I currently had. When I tried again I started getting the "There were too many requests " error.
It is my understanding that I have to wait seven days before being able to try again and that’s fine. What I’m trying to understand is why I got the “Requested domain is not a FQDN” error and what is the recommended way to add subsequent subdomains to an existing domain certificate? I understand there is a limit to the number of subdomains on one certificate and believe that number is 100, is that correct?
If you used the exact command that you mentioned above, the problem is the use of commas together with spaces in the list of domains. You have to use one or the other to delimit the domain names (or, alternatively, a separate -d for each individual domain). The error you’re seeing is due to the client interpreting the comma as part of the domain name, where it would not be permitted (because it sees the list of domain names as delimited by the spaces).
Schoen, Thanks so much for your quick and informative response. Much appreciated! Is there some way to query letsencrypt or wherever to find out what certificates I have? I think I may have requested certificates for non-existant domains due to my apache mis-configuration and I’m not sure what I’ve got.
Yes, every cert issued by Let's Encrypt is sent to a Certificate Transparency Log so you could check your issued domains seeking that logs in https://crt.sh
It’s just a simple script I made to check domains against crt.sh. If you are interested let me know but I’ll need a few days to clean up the script ( too much garbage inside ).
Here some usage instructions and a few screenshots explaining the options.
Usage:
lectl [-h|--help] [-v|--version] [-l|--extraline] [-s|--sans] [-e|--expired] [-u|--utc] domain
Options:
-h | --help [Default: false] shows the help file.
-v | --version shows the script version.
-l | --extraline [Default: false] adds extra line separator between found
certificates (when there are several certs with several
sans adding this extra line it's easier to read the output).
-s | --sans [Default: false] shows all domains included in the
certificate as SANs. If you don't use this option you will
only see the Common Name.
-e | --expired [Default: false] shows all certs issued for the specified
domain, including the certs that are already expired.
-u | --utc [Default: false] shows the dates in UTC (GMT) instead of
your machine time zone.
Examples:
lectl letsencryt.org
lectl -s -e -u -l letsencryt.org
lectl -seul letsencryt.org
lectl -luse letsencryt.org
lectl -su --extraline letsencryt.org
lectl -u letsencryt.org -es
...and so on
Example using lectl with options -seu. In this case is a combination of -s and -e but in this case, using -u will display the dates using UTC instead of machine defined time zone.
Jus to inform you that I’ve updated the script lectl to version 0.3. It now supports Let's Encrypt Authority X1 and the new CA Let's Encrypt Authority X3.