Old certificate revoked / Limit for creating a new one

CCNST · March 28, 2018, 2:41pm

Hi,

we had a problem in an automated script which produced some errors. It tried to get a new certificate for one of our servers a few times and now we ran into the 7-days rate-limit. (Should use the testing server but used the acme-v01.)

Our old certificate was revoked before the update, because of that nobody is able to use our internal WebDAV server anymore.

So far I know that I would have to wait for 7 days but would there be another solution to get this fixed?

Thank you very much in advance!

My domain is: *

I ran this command:
letsencrypt.exe
Let’s Encrypt Simple Windows Client 198.4.6605.15190

It produced this output:
“type”: “urn:acme:error:rateLimited”,
“detail”: “Error creating new cert :: too many certificates already issued forexact set of domains: *: see https://letsencrypt.org/docs/rate-limits/”,

My web server is (include version): David Mailserver

The operating system my web server runs on is (include version): Windows Server 2008R2

My hosting provider, if applicable, is: myself

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

jared.m · March 28, 2018, 3:14pm

Yesterday, you created five identical certificates for this domain - is there any reason you can't just use one of those?

CCNST · March 28, 2018, 3:33pm

I already tried this but is was an automated script and it simply deleted the files…
The only available is the backed up version of the one created 2018-01-02 but this is the revoked one.

jared.m · March 28, 2018, 3:38pm

You can somewhat sidestep this restriction by creating a non-identical certificate (say by adding a second domain name.) You should be really careful, though, as there’s also a limit of 20 certificates for a registered domain - in this case ccnst.de - per week. You’ve already chewed through 25% of this limit, and there’s no way to get around that.

CCNST · March 28, 2018, 3:44pm

OK, so am I right: It has to be a different Domain not only a different subdomain?
Is there a way to turn back the revokement of the old one?

mnordhoff · March 28, 2018, 3:55pm

No, the duplicate certificate rate limit can be bypassed by adding a subdomain under the same domain.

No.

CCNST · March 28, 2018, 4:10pm

OK thank you very much for the feedback.
Changing the subdomain even wont work because the domain is running on about 50 smartphones and a name mismatch will cause the same error like the revoked certificate.

jared.m · March 28, 2018, 4:12pm

No, don’t change it, just add a second. That is, instead of a certificate that’s only valid for infocenter.ccnst.de, make it valid for infocenter.ccnst.de and, say, temporary.ccnst.de. Or infocenter.ccnst.de and www.ccnst.de. Even just adding ccnst.de would work, in fact. Anything that makes it not-identical will get around this particular limit.

CCNST · March 28, 2018, 4:24pm

OK, understood. Have successfully generated one but now having the problem of the apple devices claiming a name mismatch.

mnordhoff · March 28, 2018, 4:27pm

https://infocenter.ccnst.de/ currently has a certificate that’s valid only for https://vpn.ccnst.de/, not https://infocenter.ccnst.de/.

CCNST · March 28, 2018, 6:33pm

Thank you very much, now i generated a new one with both domains and it works! Thought the initial domain is not allowed to be included anyway. Thank you very much for saving my easter days.

PS: Sorry for being slow on the uptake…

system · April 27, 2018, 11:20pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.