Not able to renew SSL certificates of sub domains


#1

I’ve a domain name www.test.com which uses SSL letsencrypt SSL certificate. Also have 2 other sites with sub domains of test.com: one.test.com and two.test.com they also uses SSL certifiactes and where created separately.

Now i’m not able to update the SSL certificates of the three domain names. getting the following errors:

/home/user/.letsencrypt_webfaction/gems/gems/acme-client-0.4.1/lib/acme/client/faraday_middleware.rb:43:in raise_on_error!': Error creating new cert :: Too many certificates already issued for exact set of domains: one.test.com (Acme::Client::Error) from /home/user/.letsencrypt_webfaction/gems/gems/acme-client-0.4.1/lib/acme/client/faraday_middleware.rb:33:inon_complete’
from /home/user/.letsencrypt_webfaction/gems/gems/acme-client-0.4.1/lib/acme/client/faraday_middleware.rb:18:in block in call' from /home/user/.letsencrypt_webfaction/gems/gems/faraday-0.9.2/lib/faraday/response.rb:57:inon_complete’
from /home/user/.letsencrypt_webfaction/gems/gems/acme-client-0.4.1/lib/acme/client/faraday_middleware.rb:18:in call' from /home/user/.letsencrypt_webfaction/gems/gems/faraday-0.9.2/lib/faraday/rack_builder.rb:139:inbuild_response’
from /home/user/.letsencrypt_webfaction/gems/gems/faraday-0.9.2/lib/faraday/connection.rb:377:in run_request' from /home/user/.letsencrypt_webfaction/gems/gems/faraday-0.9.2/lib/faraday/connection.rb:177:inpost’
from /home/user/.letsencrypt_webfaction/gems/gems/acme-client-0.4.1/lib/acme/client.rb:68:in new_certificate' from /home/user/.letsencrypt_webfaction/gems/gems/letsencrypt_webfaction-2.0.0/lib/letsencrypt_webfaction/application.rb:42:incertificate’
from /home/user/.letsencrypt_webfaction/gems/gems/letsencrypt_webfaction-2.0.0/lib/letsencrypt_webfaction/application.rb:34:in certificate_installer' from /home/user/.letsencrypt_webfaction/gems/gems/letsencrypt_webfaction-2.0.0/lib/letsencrypt_webfaction/application.rb:26:inrun!'
from /home/user/.letsencrypt_webfaction/gems/gems/letsencrypt_webfaction-2.0.0/exe/letsencrypt_webfaction:5:in <top (required)>' from /home/user/.letsencrypt_webfaction/gems/bin/letsencrypt_webfaction:23:inload’
from /home/user/.letsencrypt_webfaction/gems/bin/letsencrypt_webfaction:23:in `

Is there any limit for certificate issuing and if there is one how can we increase it.


#2

Hi @nijo,

Yes, please see

https://letsencrypt.org/docs/rate-limits/

If these are your own domains for your own application, there is no option to increase the limits and you should make sure that you’re not reissuing certificates automatically more often than once a week or so.


#3

hi @nijo

if you are doing testing also think about using the staging environment if your client allows you to

This can be useful if you are experimenting or trying to work things out

Andrei


#4

Hi @ahaw021 @schoen ,

Actually all the sub-domains are separate sites hosted in diffenent servers, so i cannot use a single certificate like a wildcard one. Is there anyway for me to update these certificates. I only have a week to renew them!!!


#5

You should try to understand why you’re running into the limit. Most likely you’ll find you have some process merrily asking for new certificates once per day and then throwing them away, thus exceeding the limit. If you ask a Certificate Transparency monitor like https://crt.sh/ you can find all certificates issued for your names.

Once you fix the issue, after a few days you should be able to get your renewals working.


#6

In the future after following @tialaramex’s suggestion you can also consider if you want to get a single certificate that covers all of the names. It is definitely more technically complex to set up, but a lot of people have gotten it working! The easiest approach to this with Let’s Encrypt’s technology is to make each individual server return an HTTP 301 redirect from everything in http://that-server.example.com/.well-known/acme-challenge/ to the corresponding thing in http://verification-server.example.com/.well-known/acme-challenge/. Then an ACME client running on verification-server.example.com can request a single certificate covering all of the names, and can succeed in passing an HTTP-01 challenge for each of them by writing the challenge files into its own .well-known/acme-challenge directory. Then the certificate and private key can be copied to all of the individual servers.

This may or may not be the best future solution for your situation, but I thought I would mention it in case it’s relevant to you.


#7

So there is no fix for this error. I’ll have change the ssl certificates of this domains.

If there is a fix for this without changing the ssl certificates. please share.


#8

This thread was started 5 days ago – when was the first of the five identical certificates issued? If it was more than 5 days ago, you can issue another one already.

Where did all of the certificates you just issued go? Can you use one of them?

You can bypass the “5 duplicate certificates” limit by issuing a new certificate with an extra name. (You cannot bypass the 20 certificates per domain limit like that.)


#9

Actual i’m using only three right now. The other two is already deleted. But i’m still getting error when i tried yesterday still getting the same error:

This command actually regenerates new ssl certificates it does not renew the current one.


#10

Generating a new certificate is the only way to “renew” a cert. There’s no mechanism to take an existing certificate, change its expiration date, and then save it; what “renewal” does is to generate a new cert, just like the old one, but with updated dates.


#11

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.