Domain: redstonemail.com
$ certbot -d redstonemail.com
Output: An unexpected error occurred:
There were too many requests of a given type :: Error creating new order :: too many certificates (5) already issued for this exact set of domains in the last 168 hours: redstonemail.com: see Rate Limits - Let's Encrypt
Apache 2.4.29
Ubuntu 18.04LTS (just upgraded from 14 -> 16; 16->18) codero.com
yes to root shell
no control panel
certbot 1.20.0
I have the ISRG Root X1 in as fullchain.pem. Which must I use as my cert.pem on non-windows systems?
What is the best way to force expire SSLs? My first instinct is to manipulate the file system directly but that has never yielded any successful results
Use fullchain.pem when software asks for a certificate: it's a combination of cert.pem and chain.pem.
How do you mean? There is nothing to force if a certificate has already expired. The only thing to do is to renew the certificate without forcing anything.
That file is incomplete: it's just the R3 intermediate and it's missing an actual end leaf certificate (i.e.: the certificate for your site).
Please use one of the 5 previously issued certificates (http://crt.sh/?q=redstonemail.com&deduplicate=y) you didn't revoke already. For example, the cert with serial number 03:9a:0b:5d:19:7d:f9:be:44:32:7e:ae:1a:b0:58:74:fd:85 (crt.sh | 5359745032) seems to be fine.
as I am sure you can tell from my http://crt.sh/?q=redstonemail.com&deduplicate=y info --- i barely know what I am doing. I am using certbot version 1.20.1. I am looking at certbot -h all and am not finding switches that manipulate the file via serial number. my typical renew commands looks like:
certbot -d redstonemail.com <--- this gives error currently . is there a method for me to use certbot to copy the certificate with serial 03:9a:0b..... into the proper place? Can I copy the file right over the top of the existing certificate, or must I revoke it somehow to clear the cache on the web server? im grasping at straws here. management been patient but it is costing us money.
No, the only time you'd need to revoke a cert is if you suspect the private key has been compromised. This will almost never happen, so "revoke the cert" is almost always the wrong answer to whatever the question is.
The following renewal configurations were invalid:
/etc/letsencrypt/renewal/breezeloans.rsmail.com.conf
/etc/letsencrypt/renewal/demo.tagquest.com-0001.conf
/etc/letsencrypt/renewal/demo.tagquest.com.conf
/etc/letsencrypt/renewal/leadmanager.saltcreekmedia.com.conf
/etc/letsencrypt/renewal/leadmanager.thedatasuite.net.conf
/etc/letsencrypt/renewal/redstonemail.com-0002.conf
/etc/letsencrypt/renewal/redstonemail.com-0005.conf
/etc/letsencrypt/renewal/redstonemail.com-0006.conf
/etc/letsencrypt/renewal/silverlakefunding.loan.conf
I concur that it has become an overgrown jungle. I have been subscribed to your forum since we beta tested back in 2015? 16? I have had many questions on variable SSL ( we had them working once, the certbot updated and our sites broke. after which the configtest was implemented)
The certbot certificates command was completely new to me. I always knew that things were twisted and I have been manipulating things at the file system level at times. I have tried to manually go in and reconcile this mess... but have broken things along the way.
The problem with being self taught is I do not know what I do not know and this SSL seems a dark art at this moment. I am capable on the command line, with instruction I can fix it.
Is there a way that I can someday take this whole thing offline and create a proper thing when i run certbot certificate there have been many times that I have issued SSL but it expires 2 days later - pretty sure that the mess in there is the cause.
I have wanted/attempted at cleaning it out. as you can see there are many sites involved. i have not found any literature on how to reconcile an abuse of certifcates issued in this manner...
Side Question: Would this mixed up setup cause a wild card SSL not to function as advertised?
I really appreciate your time!
EDIT
does the quick fix require the server to be rebooted?
is there something I must do to the "Expired Certificates" so that they no longer register?
This week we are learning that the adage of "If it is not broke; dont fix it" can leave you stranded in the weeds. "You didn't get the Memo?"
cool beans. can write a python script to scrape the directories that are now expired. that certbot certificates is a cool command
root@saltcreekmedia:/etc/apache2/sites-available# vi mvp.redstonemail.com-le-ssl.conf
</VirtualHost>
</IfModule>
<IfModule mod_ssl.c>
<VirtualHost *:80>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request's Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
#ServerName www.example.com
ServerAdmin webmaster@localhost
ServerName redstonemail.com
ServerAlias www.redstonemail.com
ServerAlias rsmail.com
ServerAlias www.rsmail.com
DocumentRoot /var/www/html/mvp.redstonemail.com
# Redirect permanent "https://(.*).slgmortgage.info" "http://$1.slgmortgage.info"
Redirect permanent / http://redstonemail.com/
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/mvp.redstonemail.com.error.log
CustomLog ${APACHE_LOG_DIR}/mvp.redstonemail.com.access.log combined
<Directory />
Options FollowSymLinks
AllowOverride All
</Directory>
<Directory /var/www/html/mvp.redstonemail.com>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order Allow,Deny
Allow from all
</Directory>
<Directory /var/www/html/mvp.redstonemail.com/app/webroot/>
Options -Indexes
</Directory>
# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf
RewriteEngine on
## Some rewrite rules in this file were disabled on your HTTPS site,
## because they have the potential to create redirection loops.
#
RewriteCond %{SERVER_NAME} =www.redstonemail.com [OR]
RewriteCond %{SERVER_NAME} =redstonemail.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
</IfModule>
I am looking at apache config files now and they are not listing the certs. is there a default command in apache2 that I can issue in an apache .conf or -le-ssl.conf file?
I have 238 apache config files. Approximately 119 unique sites. Earlier today I could see what path the SSL were using.... eg /etc/letsencrypt/arvhive/../.. Those entries are no longer in my apache config files.
