I’ve recently switched from 0.40 LE client to certbot-auto (since I’m running Ubuntu 14.04 there isn’t a package available) but it seems I hit the rate limits, unlike before when I was using letsencrypt-auto renew with the same setup, it seems the new client is requesting a domain every time?
/opt/certbot-auto renew --quiet --rsa-key-size 4096 > /dev/null
Checking for new version…
Requesting root privileges to run certbot…
/root/.local/share/letsencrypt/bin/letsencrypt renew --quiet --rsa-key-size 4096
2016-05-25 20:33:58,730:WARNING:certbot.renewal:Attempting to renew cert from /etc/letsencrypt/renewal/domain.com.conf produced an unexpected error: urn:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new cert :: Too many certificates already issued for exact set of domains:domain.com. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/domain.com/fullchain.pem (failure)
I look in the archive directory and there is a directory with cert1.pem cert2.pem cert3.pem…etc and another one that’s being currently used with domain.com-0001 which similarly has multiple certs…thing is the domain doesn’t need to be updated, but it seems to be doing it every time. I thought the default even run as cron was to wait until 30 days before? Has that changed?
Here is my renewal settings (I’ve now enabled renew_before_expiry and --keep-until-expiry but strange it wasn’t doing this before?) Also I’m using Apache but with webroot; that’s a legacy thing from using nginx which I plan to switch back to. I’ve anonymised them, don’t want to give away security info - domain.com is obviously my domain, etc.
# renew_before_expiry = 30 days
cert = /etc/letsencrypt/live/domain.com/cert.pem
privkey = /etc/letsencrypt/live/domain.com/privkey.pem
chain = /etc/letsencrypt/live/domain.com/chain.pem
fullchain = /etc/letsencrypt/live/domain.com/fullchain.pem
# Options and defaults used in the renewal process
[renewalparams]
installer = None
authenticator = webroot
rsa_key_size = 4096
account = xxxxxxxxxxxxxxxxx
[[webroot_map]]
bootleg.radioclash.com = /xxx/xxx/xxxxx
And the configs:
# the domain we want to get the cert for;
# technically it's possible to have multiple of this lines, but it only worked
# with one domain for me, another one only got one cert, so I would recommend
# separate config files per domain.
domains = domain.com
# increase key size
rsa-key-size = 4096
# the current closed beta (as of 2015-Nov-07) is using this server
server = https://acme-v01.api.letsencrypt.org/directory
# this address will receive renewal reminders
email = xxx@xxxx.com
# turn off the ncurses UI, we want this to be run as a cronjob
text = True
# authenticate by placing a file in the webroot (under .well-known/acme-challenge/)
# and then letting LE fetch it
authenticator = webroot
webroot-path = /xxx/xxx/xxxxx