Hi I have found this thread based on attempting to install lets encrypt on a server that hosts multiple domains.
Th eproblem I had was that it was on the HSTS list. I have subsequently tried to install the domain on centmin - but realised that I would then have to create ANOTHER test server to to then install the cert. OK so I have dismissed this log-winded version and built a debian jessie server NGINX attempting to install with webroot and getting this same error "too many certificates already issued for exact set of domains’. Having checked your link https://crt.sh/, it does appear to have multiple certs issued. How do I now get around this…as I have never actually used a cert for this one domain yet…
Thanks
I moved this to a new post.
Note that HSTS does not have any impact on the validation requests performed by Let's Encrypt. Let's Encrypt does not implement HSTS, so even a domain on the HSTS list can use the HTTP challenge type, without HTTPS.
If you've previously issued more than 20 certificates for that domain during testing, there is not much you can do other than wait for 7 days. The rate limits do not apply only to certificates that are actually used - it's the issuance itself that's being constrained.
Note that there is also a second rate limit of 5 per week for duplicate certificates - certificates with the exact same set of domains. If you've run into that particular rate limit, you can get around it by adding some other subdomain (e.g. www2.example.com) to your request. The exact error message should make clear whether you're running into the duplicate/identical certificate limit or the more general limit per domain.
You can refer to the rate limit documentation for more details.
Ok appreciate your reply and I will refrain from trying to produce certs in testing environments based on this limitation. However, as I have just seen I have the certs in another server under /etc/lets/encrypt/live, can I alternatively scp them from one server to the the one I now intend on using… Will this work…?
Yes, you can use the certificates on multiple servers. I would recommend deleting /etc/letsencrypt on the target server (assuming it exists and holds no other certificates that you need) and then using rsync -a to copy all of /etc/letsencrypt. Just scp'ing the files in live/ won’t be enough as there are other files that are needed in order to make things like renewal work. rsync -a will preserve all the needed file permissions and symlinks (a lack of which could also cause renewal to break).
1 Like
Ok seems like Ive had this conversation previously and attempted/failed. Ill give it another shot on this occasion and keep you posted. thanks for the swift response
Ok so I used winscp to transfer the domain folder contents under “live” to the new server.
added to domain1.conf
ssl_certificate /etc/letsencrypt/live/domain1.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/domain1.com/privkey.pem;
Getting “File not found.” in my browser. I wanted to try this on a new server as I when I attempted on my previous it kept redirecting to the main domain on the server.
server {
listen 80;
listen [::]:80;
server_name www.domain1.com domain1.com;
rewrite ^ https://$host$request_uri? permanent;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name www.domain1.com domain1.com;
port_in_redirect off;
root /var/www/domain1.com/;
index index.php;
location / {
try_files $uri $uri/ /index.php?$args;
}
location ~* .(jpg|jpeg|gif|css|png|js|ico|html)$ {
access_log off;
expires max;
}
location ~ /.well-known {
allow all;
}
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers 'TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:ECDHE-ECDSA-C$
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_stapling on;
ssl_stapling_verify on;
add_header Strict-Transport-Security max-age=15768000;
ssl_certificate /etc/letsencrypt/live/domain1.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/domain1.com/privkey.pem;
Any chance I can just get hold of fresh install as if I leave the site in http - I get a “received a 503 response from the server.”
You should remove the files you SCP'd and rsync the entire directory as mentioned. The live folder only holds symlinks, which aren't going to help you.
I tried to install homebrew to get copyid on my mac to then try and ssh into my server to rsync the files. No Luck. Then I installed cygwin on a windows machine to attempt the rsync. public key permission denied, as it is a bit of a tall order to get a new SSH key on an existing DO droplet. Ahem! so after fiddling around I simply moved my wordpress install in NGINX to /var/www/domain.com and viola site came back. This was all done simply by winscp the entire Letsencrypt folder off the server to local machine and then onto new server. I now intend on transferring the other domains. Quick question - how do I no identify which _key-certbot.pem keys are unique to the domains I am adding, as I want to pre-empt a misconfig when moving the sites across?
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.