Questions about Renewing before TLS-ALPN-01 Revocations

Hi, yes of course this worked! Very tired, been up all night trying to sort it.

But now I'm not sure if this is right - doesn't that mean by setting it to 100 days that my certs won't get renewed in 90 and therefore my website will be unsecured for 10 days once my certs pass this 90 day expiry date?

In other words, now it's at 100 days, even though I've set it to 60 days in the script, how do I force the certs to expire in 60 days now, they are gonna stick around for 100 no?

My error message (of course) trying to renew the certs back to 60 days:

The certificate expires in 89 days, the number of days defined to perform the renewal is 60: no renewal.

So I'm thinking I should've thought for a second and just done 61, inside the 90, over the 60 for the current cert... I'm using lego too with apparently no force renew...

Or will they renew in 89 days like the error suggests, because you can't really force a cert to expire in 100, they're locked at 90, hence why you suggested 100 days for those people who have renew 90 in their code?

I'm being rate limited: urn:ietf:params:acme:error:rateLimited :: Error creating new order :: too many new orders recently

Who can i contact to have these limits raised while traefik requests new certs?

@Hvid - jillianLet's Encrypt staff

3h

"This thread will be watched staff and community members who can reach us. I can also be DMd"

Dear @jillian , I can't find the way to DM you but I'll definitely need LE staff help to raise my reissue limit.
Please advise, whom to message and with what information, thanks!

It seems new users cannot DM.

Strictly speaking what we call a "renewal" is just a brand new certificate which happens to contain the same set of hostnames :wink:

Could you perhaps clarify which limit you're actually having issues with? Preferably the actual error message provided by the ACME server.

3 Likes

Here is info and advice on Apache ACME (mod_md) and how to check if your sites are affected: blog/lets-encrypt-trouble.md at main · icing/blog · GitHub

@jillian care to add to the top list? thanks.

4 Likes

I have just received this email. We had to recreate the certificate because of some problems here and the expiration date is now april/2022 but still receiving the certificate expiration emails and now this revocation email. Should I be concerned? How can I proceed?

Hi @Osiris - 'The main limit is Certificates per Registered Domain (50 per week)' - this is the main rate limit I was hitting when mass-migrating sites from wildcard to per-site certificates. It took me about three week to migrate 100+ sites, respectively.
As I typed this here, I've realized I might not hit this limitation now, as these domains are already in LE system, right? Sorry for bothering then, I should be fine with the proposed solution :slight_smile:

How can I find the domain names associated with ACME registration (account) ID(s) sent in the email?

I think by default the certificates that lego generates always expire after 90 days. So, when renewing, by setting the days parameter to 100 it's guaranteed to always renew the certificate (91 would also work, etc).

Of course, you want to make sure you remove the days parameter again from the renewal script once you've forced the renewal, otherwise it'll always renew the certificate every time the script runs. Without the days parameter, the renewal script will default to only renewing the certificate when there is <30 days left.

The key thing to realise is that the days parameter only determines whether or not the certificate should be renewed (based on how long is left). It does not affect how long the certificate itself is valid for.

1 Like

All certificates issued and validated with the TLS-ALPN-01 challenge before 00:48 UTC 26 January 2022 are affected. If you received an e-mail for the TLS-ALPN-01 renewal required, then your certificate was affected and you need to renew your certificate. How you renew your certificate depends on your client but you will be running the issuance request command with a modified config or a flag to “force” renewal.

The expiration emails are a separate notification and likely related to a certificate which renewed and added names too. Don’t worry about that now, we can open a fresh post to help you out with that after you have renewed your certificates.

2 Likes

Yes, we wish could have provided more information for each contact and registration id but had to prioritize notification. We will be exploring more ways that we can share this information in the future. I’m sorry to hear you have so many servers to check. Hopefully all you have to do is force renewal on each one! In this scenario, that’s the better path forward over individually checking which accounts are on each host.

2 Likes

Thank you for the reply.
Just to make sure, here is where I can get the acme registration id?
https://acme-v02.api.letsencrypt.org/acme/acct/*********
If this is the right place, the valid certificate has a different id from the email. Maybe they are related to the old certificates.

2 Likes

Finding Account IDs - Let's Encrypt (letsencrypt.org)

2 Likes

Hey guys - I'm using LE cert on my firewalls, Fortinet FG-100F. So far, I don't see any way to "force renew" - the firewall states the cert just auto-renewed a few days ago.

Am I safe? Any idea how to force a renewal??

how to renew?

ACME registration (account) ID(s):

361372510

I can not recall which site I used this. We used from server or whm automatically.

Please advice.

Renewals are not counted against that specific rate limit.

4 Likes

You will need to look at the documentation for your specific client to determine how to renew. Searching the forum may provide the answer, otherwise open a new #help thread to request help for how to renew with your client. Please fill on the fields to get the best support.

1 Like

Hi,

Thank you for the notification by mail regarding this issue.

To be sure. Using the Lego client to renew a certificate today (the 26th of January) after receiving the notification email but again using the TLS-ALPN-01 method, will result in a certificate that will not be revoked on the 28th. Correct?

Thanks in advance.

2 Likes