Rate limit hit without having renewed certs

Something seems to have gone wrong with a Let's Encrypt configuration and I don't know how to stop it.

When I logged onto to renew a cert that is to expire in 5 days I got the error:

Failed to renew certificate with error: urn:ietf:params:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new order :: too many certificates already issued for exact set of domains:

But I haven't generated any new certificates since the last time it needed renewing (about 90 days ago). I have never had trouble with this certificate.

If I look on https://check-your-website.server-daten.de it is showing certs generated at lots of irregular times over the past few weeks, sometime twice on the same day, then 5 days apart, no pattern to it. Although this started at the same time I was sent the email reminder to renew, so maybe there is a connnection?

If I look in the Let's Encrypt folder in /etc there are lots of certs and keys corresponding to those dates. But there is still only the correct set of keys and certs in the domain folder from 90 days ago as there should be.

So what is creating all these extra certificate requests?

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The name and version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

I don't want to post the domain and it has nothing to do with secrecy.

The server is a Centos 8 system that doesn't use a control panel. The cerbot version is 1.15.0.

I appears there is a system timer setup to autorenew but this appears to be going wrong:

[Unit]
# Auto-generated, DO NOT EDIT
Description=Timer renew for snap application certbot.renew
Requires=var-lib-snapd-snap-certbot-1150.mount
After=var-lib-snapd-snap-certbot-1150.mount
X-Snappy=yes

[Timer]
Unit=snap.certbot.renew.service
OnCalendar=*-*-* 03:21
OnCalendar=*-*-* 16:28

[Install]
WantedBy=timers.target

Looks related to this How do I disable auto-renew without removing config files? · Issue #8555 · certbot/certbot · GitHub and it is not encouraging, apparently stopping the renewal doesn't work.

But why are certs being generated every time the renewal timer is triggered?

In a few days the server is going to be without SSL, obviously this is a big problem.

As a fix to stop the website becoming unusable is there anyway to obtain the fullchain file for the most recently created certificate? Despite all these auto renewals the cert files are not being saved on the server making it a it a doubly bad. The only files on the server I can find are files in the "keys" and "csr" folders.

Well I am at least able to download the auto-created certs using:

certbot certonly --standalone --preferred-challenges http -d mydomain.com

Could be an option in a general or cert-specific configuration file. Could also be that the symbolic links in the /live/ directory aren't pointing to the correct files in the /archive/ directory.

If it's your client generating all the certs, there should be plenty of valid certs laying around somewhere. So no, most likely not a big problem at all, you just need to find the valid certs.

There should be plenty of files in the /archive/ directory too. Certbot doesn't issue and then delete those files. Unless you're running ceetbot in stuff like a docker container without persistant storage.

Could you maybe start with showing the output of sudo certbot certificates ? I wonder if you have several certificates set up for your domain, which are all auto-renewing?

I had actually noticed 2 duplicates before I saw your message, I have deleted them in case that was the problem, I'll need to wait and see if it was. I'm not sure why this would be creating certs though but let's find out.

Deleting duplicate certs will not remove them from the rate limit. Once you've hit the limit, you've hit the limit until one week from the date and time of the first cert you obtained. Having duplicates is the problem. It's whether or not you've made a valid cert available on your server and reset/restarted your server.

It would be so much easier to help if you would show the output of sudo cerbot certificates as @petercooperjr asked. Peter does have a valid question... "if you have several certificates set up... which are all auto-renewing?" It's quite possible you created duplicates (total of 5 certs) and they are all trying to renew.

And the fact that you said you were getting email reminders and going to renew your cert again makes me guess that you might have actually had one or more working auto-renewing certificates, but when you were notified about an old certificate that you didn't need anymore expiring you ended up making yet another one (which also started renewing itself every couple months), exacerbating the problem. Or something like that, the whole timeline isn't that clear. But you should be able to have only one certificate listed as managed by certbot, and it should be renewing itself every couple months, and once this is cleared up you won't have to worry about anything more.

Well it's been 6 days and no renewals so it looks like the duplicates were the problem.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.