Old certificate revoked / Limit for creating a new one


#1

Hi,

we had a problem in an automated script which produced some errors. It tried to get a new certificate for one of our servers a few times and now we ran into the 7-days rate-limit. (Should use the testing server but used the acme-v01.)

Our old certificate was revoked before the update, because of that nobody is able to use our internal WebDAV server anymore.

So far I know that I would have to wait for 7 days but would there be another solution to get this fixed?

Thank you very much in advance!

My domain is: *

I ran this command:
letsencrypt.exe
Let’s Encrypt Simple Windows Client 198.4.6605.15190

It produced this output:
“type”: “urn:acme:error:rateLimited”,
“detail”: “Error creating new cert :: too many certificates already issued forexact set of domains: *: see https://letsencrypt.org/docs/rate-limits/”,

My web server is (include version): David Mailserver

The operating system my web server runs on is (include version): Windows Server 2008R2

My hosting provider, if applicable, is: myself

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no


#2

Yesterday, you created five identical certificates for this domain - is there any reason you can’t just use one of those?


#3

I already tried this but is was an automated script and it simply deleted the files…
The only available is the backed up version of the one created 2018-01-02 but this is the revoked one.


#4

You can somewhat sidestep this restriction by creating a non-identical certificate (say by adding a second domain name.) You should be really careful, though, as there’s also a limit of 20 certificates for a registered domain - in this case ccnst.de - per week. You’ve already chewed through 25% of this limit, and there’s no way to get around that.


#5

OK, so am I right: It has to be a different Domain not only a different subdomain?
Is there a way to turn back the revokement of the old one?


#6

No, the duplicate certificate rate limit can be bypassed by adding a subdomain under the same domain.

No.


#7

OK thank you very much for the feedback.
Changing the subdomain even wont work because the domain is running on about 50 smartphones and a name mismatch will cause the same error like the revoked certificate.


#8

No, don’t change it, just add a second. That is, instead of a certificate that’s only valid for infocenter.ccnst.de, make it valid for infocenter.ccnst.de and, say, temporary.ccnst.de. Or infocenter.ccnst.de and www.ccnst.de. Even just adding ccnst.de would work, in fact. Anything that makes it not-identical will get around this particular limit.


#9

OK, understood. Have successfully generated one but now having the problem of the apple devices claiming a name mismatch.


#10

https://infocenter.ccnst.de/ currently has a certificate that’s valid only for https://vpn.ccnst.de/, not https://infocenter.ccnst.de/.


#11

Thank you very much, now i generated a new one with both domains and it works! Thought the initial domain is not allowed to be included anyway. Thank you very much for saving my easter days. :wink:

PS: Sorry for being slow on the uptake…


#13

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.