I’ve recently switched from 0.40 LE client to certbot-auto (since I’m running Ubuntu 14.04 there isn’t a package available) but it seems I hit the rate limits, unlike before when I was using letsencrypt-auto renew with the same setup, it seems the new client is requesting a domain every time?
/opt/certbot-auto renew --quiet --rsa-key-size 4096 > /dev/null
Checking for new version…
Requesting root privileges to run certbot…
/root/.local/share/letsencrypt/bin/letsencrypt renew --quiet --rsa-key-size 4096
2016-05-25 20:33:58,730:WARNING:certbot.renewal:Attempting to renew cert from /etc/letsencrypt/renewal/domain.com.conf produced an unexpected error: urn:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new cert :: Too many certificates already issued for exact set of domains:domain.com. Skipping.
All renewal attempts failed. The following certs could not be renewed:
I look in the archive directory and there is a directory with cert1.pem cert2.pem cert3.pem…etc and another one that’s being currently used with domain.com-0001 which similarly has multiple certs…thing is the domain doesn’t need to be updated, but it seems to be doing it every time. I thought the default even run as cron was to wait until 30 days before? Has that changed?
Here is my renewal settings (I’ve now enabled renew_before_expiry and --keep-until-expiry but strange it wasn’t doing this before?) Also I’m using Apache but with webroot; that’s a legacy thing from using nginx which I plan to switch back to. I’ve anonymised them, don’t want to give away security info - domain.com is obviously my domain, etc.
# renew_before_expiry = 30 days cert = /etc/letsencrypt/live/domain.com/cert.pem privkey = /etc/letsencrypt/live/domain.com/privkey.pem chain = /etc/letsencrypt/live/domain.com/chain.pem fullchain = /etc/letsencrypt/live/domain.com/fullchain.pem # Options and defaults used in the renewal process [renewalparams] installer = None authenticator = webroot rsa_key_size = 4096 account = xxxxxxxxxxxxxxxxx [[webroot_map]] bootleg.radioclash.com = /xxx/xxx/xxxxx
And the configs:
# the domain we want to get the cert for; # technically it's possible to have multiple of this lines, but it only worked # with one domain for me, another one only got one cert, so I would recommend # separate config files per domain. domains = domain.com # increase key size rsa-key-size = 4096 # the current closed beta (as of 2015-Nov-07) is using this server server = https://acme-v01.api.letsencrypt.org/directory # this address will receive renewal reminders email = email@example.com # turn off the ncurses UI, we want this to be run as a cronjob text = True # authenticate by placing a file in the webroot (under .well-known/acme-challenge/) # and then letting LE fetch it authenticator = webroot webroot-path = /xxx/xxx/xxxxx