Rate limited, can I request the old certificates somewhere?

tjipke · September 7, 2023, 9:04am

Hey everyone, I was struggling to get my apache configuration right, and in the process requested multiple security certificates with certbot. I was not aware of any kind of rate limiting, but now it seems i can not re-request new certificates. Is there any way i can get the old ones back? Or they uploaded somewhere?
I messed up at work and i really need this site back online asap.

My domain is: yachtcharterdedrait.com

I ran this command: certbot certonly

It produced this output:

How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Apache Web Server plugin (apache)
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-3] then [enter] (press 'c' to cancel): 1
Please enter the domain name(s) you would like on your certificate (comma and/or
space separated) (Enter 'c' to cancel): yachtcharterdedrait.nl
Requesting a certificate for yachtcharterdedrait.nl

Successfully received certificate.

My web server is (include version): Apache/2.4.52 (Ubuntu)

The operating system my web server runs on is (include version): ubuntu 22.04.2 LTS

My hosting provider, if applicable, is: Linode

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.21.0

tjipke · September 7, 2023, 9:26am

I should note that I do have some certificates in the "archive" folder.

derek-mba · September 7, 2023, 12:17pm

First, there's a LetsEncrypt staging server to prevent this sort of problem. Always use certbot --test-cert first. Once you get a working configuration where it tells you that everything works except that you have an invalid certificate, and when you look at the certificate it's clearly from the LetsEncrypt staging server, then you can drop the --test-cert.

When you use the certonly method, you're expected to know how to install the certificates manually. If it offers you the option for Apache Web Server plugin, you're probably better off to use certbot --apache.

Yes, you should be able to use the ones from the archive folder. Find the one with the newest modification date and plug it into your apache config.

rg305 · September 7, 2023, 12:33pm

Hi @tjipke, and welcome to the LE community forum

I see two different TLDs.

I also see:

[which is a good sign]

Then I also see:

Which is a [big red flag] for me.

What shows?:
sudo apachectl -t -D DUMP_VHOSTS

derek-mba · September 7, 2023, 12:52pm

"Hi @derek-mba, and welcome to the LE community forum"

Hah! I've been here often, but I apparently haven't used my work-id at GitHub to login here

rg305 · September 7, 2023, 12:54pm

corrected - LOL

derek-mba · September 7, 2023, 1:03pm

Indeed, I didn't notice the .nl domain. https://yachtcharterdedrait.nl/ responds correctly with a certificate issued early this morning. https://yachtcharterdedrait.com/ refuses connections. It looks like you need an alias in the apache config (though because you've been rate-limited, you probably won't get a new one with both domains this week!).

catharsis · September 7, 2023, 3:06pm

the certificates themselves yes but they're useless without the private keys

the private keys are generated on your server and should generally never exist anywhere except on your server

I usually don't even back mine up, since the risk of a backup being compromised is too high. I back up data that can't be easily replaced, but certificates CAN be easily replaced (unless you somehow mess up and rate-limit yourself...)

also if you do run into rate limits (which you shouldn't).... the limit is for the exact set of names on the certificate. So, hypothetically speaking, if you really mess up and become unable to create another certificate for "example.com and www.example.com", if you told the server "I need a certificate for example.com, www.example.com, and 2bcedd67-9e6b-4e4b-8cf9-7f6cb21d29b4.example.com" it will be like

jvanasco · September 7, 2023, 9:33pm

That depends on your backup strategy - how/where they are backed up and who has access to that.

I often backup private keys and API credentials onto a secure offline repository. For online backups, you can use asymmetrical encryption - having the webserver encrypt and upload the secrets using a Public Key for a Private Key kept offline.

tjipke · September 8, 2023, 11:21am

Thank you all very much for the responses I continued messing around with the certificates yesterday, after i noticed that there were some old certificates in the "archive" folder. Those were not expired, and i made sure that the other references (symlinks?) to the certificates pointed to those. In the end, it worked again! Now to find out why it doesn't automatically renew

rg305 · September 8, 2023, 12:16pm

@tjipke, please close this topic by choosing a solution.