Plesk LE plugin: Hitting the duplicate certificate limit; help finding existing certificates

It seems the LE Plesk plugin tried to renew the cert every day but failed and finally hit the rate limit.

Unfortunately we saw this today and we apply HSTS with a long value.

Is the website now blocked for all users for the next 7 days or can we contact the LE team to remove the rate limit? We found the issue and want to renew the cert.

Which rate limit are you hitting? Can you share the exact error message?

We can’t reset rate limits from the server side but I can suggest more concrete steps if I know the exact limit being encountered.

I’m confused why you believe your website is blocked. None of the renewals that have been happening every day succeeded and gave you a fresh, unexpired certificate?

It is

Invalid response from https://acme-v01.api.letsencrypt.org/acme/new-cert: Error creating new cert :: too many certificates already issued for exact set of domains: example.com,www.example.com.
Type: urn:acme:error:rateLimited.

This looks like the duplicate certificate rate limit. The time period for it is described in our rate limit docs:

We also have a Duplicate Certificate limit of 5 certificates per week. A certificate is considered a duplicate of an earlier certificate if they contain the exact same set of hostnames, ignoring capitalization and ordering of hostnames. For instance, if you requested a certificate for the names [www.example.com, example.com], you could request four more certificates for [www.example.com, example.com] during the week. If you changed the set of names by adding [blog.example.com], you would be able to request additional certificates.

There isn’t any way to “reset” this limit from our side. The upsides are: You have 5 valid certificates to chose from assuming your client didn’t “lose” them somewhere, and the rate limit will reset in a week’s time.

It might also be worthwhile to report this bug to the Plesk plugin authors. It appears from certificate transparency logs that there have been quite a few duplicate certificates issued for these domains.

Yes, I know. Checked it on the crt.sh page.

Actually the rate limit prevents that we get a new valid certificate.

Did not find the unused certs in the live / archive directories mentioned somewhere else.

Do you know where I can find them on Debian 8.4?

I’m not familiar with Plesk or where it keeps its certificates unfortunately. I’ll update the title of this post to highlight the “Plesk” portion and maybe someone else in the community is aware & can help.

One potential short-term workaround is to add a new domain name to the fresh certificate you are trying to issue. The rate limit prevents you from getting another certificate for the exact same set of names but you should be able to issue a certificate for “tattoomodels.com”, “www.tattoomodels.com”, “some.other.you.control.domain.com”. The new domain could even be a subdomain of “tattoomodels.com”.

I would recommend carefully reviewing the rate limits documentation first to ensure you don’t end up tripping another rate limit (e.g. the “Certificates per Registered Domain” limit).

Adding a domain alias did not help. Combining the main domain with subdomains in the plugin is not possible as it seems.

But I could request a new cert for the non-www domain.

So it seems we have to wait 7 days to retry it? Should I disable the scheduled task of the LE plugin?

Ah, that’s unfortunate.

That would likely work provided you don’t need HTTPs for the www sub-domain.

Yes. This rate limit is applied on a 7 day window.

Have you raised this issue with the maintainers of the plugin? It seems prudent to disable it until you can determine whether it was a configuration error or a bug that created all of these certificates unnecessarily. Hopefully someone associated with Plesk could provide better guidance.

Apologies for the troubles!

Will do so now.
At least there are still many open issues and not much activity here: https://github.com/plesk/letsencrypt-plesk

Updated the plugin (no automatic plugin updates on Plesk 12.5 by default), probably the issue will not occur anymore. I’ll keep an eye on it.

https://ext.plesk.com/packages/f6847e61-33a7-4104-8dc9-d26a0183a8dd-letsencrypt#!

1 Like

After the update of the LE Plesk plugin last week, waiting 7-8 days and retrying it today it finally worked again.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.