Plesk - cert doesnt renew, too many certificates already issued, (3 certs)

steve-pher · April 28, 2017, 12:40pm

domain - Pheriche.com
command line: no command line, it’s a Plesk interface, certbot isn’t installed
output: Error: Let’s Encrypt SSL certificate installation failed: Invalid response from https://acme-v01.api.letsencrypt.org/acme/new-cert: Error creating new cert :: too many certificates already issued for exact set of domains: pheriche.com. Type: urn:acme:error:rateLimited.
OS and server: Centos6, Plesk 12.5.3 , NGINX on the primary, Apache on the subdomains.
VPS

The domain had 3 certs on it, the domain itself, and two subdomains (dev.pheriche and sharedfiles.pheriche) (now removed).

The certs were installed around December 2016 and worked fine since then, but now I’ve got this error and no real clues on how to resolve it. Can anyone give me an idea what’s going wrong.
I wouldn’t have thought 3 certs on a domain was too many, and looking for solutions in /usr/local/psa/var/modules/letsencrypt/etc/renewal I only see those 3 certs and one other for another domain. So, again, not really " too many certificates"

baffled!

sahsanu · April 28, 2017, 6:04pm

Hi @steve-pher,

No, 3 certs on a domain are not too much, 3 domains on the same cert are also not too much. The "too much certificates" error is because you have issued 5 certificates for the exact same subset of domains in last 7 days. You can check the rate limits for Let's Encrypt here Rate Limits - Let's Encrypt

I'm quoting the part that is affecting you:

We also have a Duplicate Certificate limit of 5 certificates per week. A certificate is considered a duplicate of an earlier certificate if they contain the exact same set of hostnames, ignoring capitalization and ordering of hostnames. For instance, if you requested a certificate for the names [www.example.com, example.com], you could request four more certificates for [www.example.com, example.com] during the week. If you changed the set of names by adding [blog.example.com], you would be able to request additional certificates.

And yes, you are issuing certificates but seems your Plesk is not using them:

CRT ID     DOMAIN (CN)               VALID FROM              VALID TO                EXPIRES IN  SANs
130074924  pheriche.com              2017-Apr-28 01:01 CEST  2017-Jul-27 01:01 CEST  89 days     pheriche.com
128946304  pheriche.com              2017-Apr-26 01:01 CEST  2017-Jul-25 01:01 CEST  87 days     pheriche.com
128171194  pheriche.com              2017-Apr-25 01:01 CEST  2017-Jul-24 01:01 CEST  86 days     pheriche.com
127193263  pheriche.com              2017-Apr-24 01:01 CEST  2017-Jul-23 01:01 CEST  85 days     pheriche.com
126541639  pheriche.com              2017-Apr-23 01:01 CEST  2017-Jul-22 01:01 CEST  84 days     pheriche.com
125663690  pheriche.com              2017-Apr-22 01:01 CEST  2017-Jul-21 01:01 CEST  83 days     pheriche.com
124804720  pheriche.com              2017-Apr-21 01:01 CEST  2017-Jul-20 01:01 CEST  82 days     pheriche.com
122676470  pheriche.com              2017-Apr-18 12:59 CEST  2017-Jul-17 12:59 CEST  79 days     pheriche.com
122350392  pheriche.com              2017-Apr-18 01:01 CEST  2017-Jul-17 01:01 CEST  79 days     pheriche.com
121456861  pheriche.com              2017-Apr-17 01:01 CEST  2017-Jul-16 01:01 CEST  78 days     pheriche.com
120559263  pheriche.com              2017-Apr-16 01:01 CEST  2017-Jul-15 01:01 CEST  77 days     pheriche.com
119663826  pheriche.com              2017-Apr-15 01:01 CEST  2017-Jul-14 01:01 CEST  76 days     pheriche.com
118792978  pheriche.com              2017-Apr-14 01:01 CEST  2017-Jul-13 01:01 CEST  75 days     pheriche.com
109527111  sharedfiles.pheriche.com  2017-Mar-28 01:02 CEST  2017-Jun-26 01:02 CEST  58 days     sharedfiles.pheriche.com
109526890  dev.pheriche.com          2017-Mar-28 01:01 CEST  2017-Jun-26 01:01 CEST  58 days     dev.pheriche.com
97521007   sharedfiles.pheriche.com  2017-Feb-28 01:01 CET   2017-May-29 02:01 CEST  30 days     sharedfiles.pheriche.com
97520900   dev.pheriche.com          2017-Feb-28 01:01 CET   2017-May-29 02:01 CEST  30 days     dev.pheriche.com
92885983   dev.pheriche.com          2017-Feb-15 15:28 CET   2017-May-16 16:28 CEST  17 days     dev.pheriche.com

I'm not using Plesk and don't know how it works so I can't help you with that but you should review your Plesk conf.

Good luck,
sahsanu

twistedpixel · May 7, 2017, 3:44pm

I came here to post an identical issue, also using Plesk on CentOS6. It started on 2nd of May. I too am baffled because I only have 2 subdomains on each domain that required a renewal on 2nd May (so a total of 6 certs across 2 domains). The other 2 or 3 domains I use Let’s Encrypt certs on weren’t due for renewal until around June.

I’ve contacted Plesk support who don’t seem to know what’s going on.

Did you get any further with this? I’m seeing the exact same errors (“too many certs for exact set of domains”) in my panel.log.

Is it possible this is a repeat of the issue last May where new certs were being generated as opposed to renewals?

system · June 6, 2017, 3:54pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.