Rate limitations creating certificates

Is this the right place asking for permission to pass the limitations to get certificates? This is needed after several failed installs of freessl certificate on my webhost server as described below in “It produced this output”

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: http://vokalensembletgaia.dk

I ran this command: None, just tried to upload certficate, ca-bundle and private key on my webhost server

It produced this output: Installation failed. Check compatibility (compliancy) between certificate and key (translated from Danish)

My web server is (include version): apache

The operating system my web server runs on is (include version): Linux

My hosting provider, if applicable, is: unoeuro.com

I can login to a root shell on my machine (yes or no, or I don’t know):don´t know

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): yes, don´t know the name - probably their own

  1. The rate limit for failed authorizations cannot be overridden, and exemptions take significantly longer that the natural expiration 'period anyway. Please use the staging environment until you are able to successfully obtain certificates, as it has separate and much higher rate limits.

  2. I’m confused about the issue. If you were trying to upload the certificate, then you had already obtained one, but you’re also saying you weren’t able to generate one. Did you receive a signed certificate or not?

  3. How are you going about attempting to obtain these certificates? Using a command or some control panel functionality?

1 Like

It´s correct that I obtained a certificate but due to the failed installation on my webserver I tried several times to renew the certificate going thru the steps on the website sslforfree.com (manual verification). I managed several times to get new textstrings to upoad - and new certificates I guess - to see if this would solve the error. I reached the limitation, saying that I can´t exceed 5 certificates and I have to wait 7 days for another try ( or ask for permission to get more attempts in here by a link to this support) I got to emphasize, that my knowledge to these matters are very limited, unfortunately.

Hi @edvard,

There is no exemption available for errors or accidents like this. The rate limits exemptions are intended mainly for a situation in which many different users or organizations would be the beneficiaries of the issued certificates, not as a response to an error or accident. In this case, you have to wait for the rate limit to expire.

One thing to be aware of in this case is that the 5-certificate limit is a limit on identical certificates. That means that if you add another domain name, such as an additional subdomain, to your certificate, you can still issue without being restricted by this limit (up until the next limit, which is the 20-certificate limit on certificates per registered domain). For example, as your recent certificates were for vokalensembletgaia.dk and www.vokalensembletgaia.dk, if you issued a new certificate covering vokalensembletgaia.dk, www.vokalensembletgaia.dk, and also irrelevant.vokalensembletgaia.dk, that new certificate would not be prevented by the rate limit. (The additional name would need to exist in the DNS for this to work.)

Perhaps confusingly, you can also circumvent the identical certificates limit by splitting your certificate apart into two separate certificates for vokalensembletgaia.dk and www.vokalensembletgaia.dk. While this is not usually a best practice, these certificates would be considered different from the ones that you tried to issue before and hence also not restricted by the rate limit that you encountered before. I realize that this might complicate your certificate management in the future.

It sounds like there is a different problem concerning the reason why you can’t get your server to accept and install the certificates that you issued. Continuing to issue new certificates either for the original set of names or for a new combination of names will probably not solve this problem. :slight_smile: We’re happy to help you try to understand why this problem is happening.

However, you should not directly post the private key for any of your certificates here because it needs to be kept secret (and the associated certificate needs to be invalidated if the private key is posted). We could, however, suggest commands that you can run to check whether the private key and certificate files do, in fact, correspond to each other.

1 Like

Could you post the filenames of what you are attempting to load onto your webserver? I believe you might be attempting to provide the account key instead of the certificate’s private key.

1 Like

Do you still have some or all of the private key and certificate files?

@jared.m - The filenames are: certificate.crt, ca_bundle.crt and private.key
@mnordhoff - I still have a set in a zip-file like above.

My webhost allows customers to upload (import) their own certificates through the controlpanel. There is three inputfields, one for each of the certificates and the key. Have done that succesfully for two periodes before this.

And how can I run commands to check correspondance? I downloaded openssl to my computer but I guess it is to be installed in a server environment, not on Windows…

It is possible to run OpenSSL on Windows. It has to be run from a command prompt in a terminal emulator. I don’t know how to install it but I think there are lots of tutorials and documentation about this.

When you have it installed, one practical approach would be to run

openssl rsa -in private.key -modulus -noout

and

openssl x509 -in certificate.crt -modulus -noout

These should display numbers in hexadecimal which should be about 512 digits long. If the private key matches the certificate, the two numbers should be the same! (Unlike virtually all of the other numbers which can be displayed when running openssl commands on the private.key file, these numbers are not confidential and could be disclosed to other people… but there’s no particular reason that we would need to see them here.)

@schoen
I was able to find a version of OpenSSL to install and run in Windows. By running the commands you suggest I got different results. Question is if I can publicize the results in here or this would affect security?

The modulus does not need to be secret, but we won’t learn anything useful by seeing it.

Can you explain how you originally obtained each of these files?

Download bundled as .zip-file from sslforfree.com

Hmmm, all of them came together in that same ZIP file and there were no other flies present that could be a “key”?

If so, I suggest contacting the sslforfree.com support at the address shown in the upper right corner of their page, and asking them whether they know any circumstances under which this kind of mismatch could happen. It could be some kind of bug in their service.

If you can’t get it resolved, you could try a similar service at https://zerossl.com/ in one week when the rate limit has expired (or, in case of greater urgency, try it with one of the workarounds that I mentioned earlier in this thread).

Exactly. The zip is called sslforfree.zip
The link in the upper right of the website is a mailto: // Well of course that is the next obvious step and I just needed to get input from experts in here before placing questions about errors to sslforfree.
I suddenly come to think about this incident: During renewal of the certificate I discovered a typo in my domainname, which I fixed. The domainname was already written on the sslforfree website when opening that from a link in a mail (reminder of renewal) sent to me. But frankly, I´m not quite sure of how and when, and furthermore - it would be out of the question that I could have verified a certificate and installing that to my webhost server if the domainname was wrong??

You can see what domain names are covered by a given certificate by running openssl x509 -text -noout -in certificate.crt, but that shouldn’t be relevant here because the error says that the key doesn’t match the certificate, not that the certificate doesn’t match the web server configuration.

So I think either sslforfree has a bug, or you mixed up which files were in which ZIP archive.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.