Rate limited: Error creating new order :: too many certificates (5) already issued for this exact set of domains

That did the trick! I am able to copy files to my webserver again. SSL still not working. I have never even been in that file before.

I have maybe solved this.... the following is proper? ( i used restonemail.com:443 as my domain and had similar results)

# openssl s_client -tls1_2 -connect test.sockettools.com:443
CONNECTED(00000005)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, CN = RapidSSL TLS DV RSA Mixed SHA256 2020 CA-1
verify return:1
depth=0 CN = *.sockettools.com
verify return:1
---
Certificate chain
 0 s:CN = *.sockettools.com
   i:C = US, O = DigiCert Inc, CN = RapidSSL TLS DV RSA Mixed SHA256 2020 CA-1
 1 s:C = US, O = DigiCert Inc, CN = RapidSSL TLS DV RSA Mixed SHA256 2020 CA-1
   i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGGzCCBQOgAwIBAgIQCuNoL5KRUAjsybH1r/99lTANBgkqhkiG9w0BAQsFADBZ
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMTMwMQYDVQQDEypS
YXBpZFNTTCBUTFMgRFYgUlNBIE1peGVkIFNIQTI1NiAyMDIwIENBLTEwHhcNMjEw
MzA4MDAwMDAwWhcNMjIwNDA4MjM1OTU5WjAcMRowGAYDVQQDDBEqLnNvY2tldHRv
b2xzLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANSiOd9IF1ua
3Zw3Dpmeqq/uodazWerXQqLWMlUFwHNmvpYSp7vVY4Pfv9wLfsyEn18t1k4EH1bC
yXIbBIwkpKM4DfrpPgKXpquEwYEy2HNfcmyhZZA9/emDDja254A5SfM15WexnY7h
9JQF3LPilWseQg8w+zywM8WNS++jGrLKzF1g7PT4KBFsuYeWXAvhvcsOx/7D30h9
qe8Xtn3vEVBn//qW+uP1pWX7+gbU+op8RsUY/Mp7bps5w8C54ub4zbzYD5odUe74
DnkoTmitfRgoPWuRAbL4YP8YssFbHitkp5lzi2GUUdqtlpBTS12JFDxXuiKvP+LV
oGsP9od60yUCAwEAAaOCAxowggMWMB8GA1UdIwQYMBaAFKSN5b58eeRwI20uKTSt
I1jc9TF/MB0GA1UdDgQWBBSKD/ZtjP0Ppk2zCx2F/VXZl77JJTAtBgNVHREEJjAk
ghEqLnNvY2tldHRvb2xzLmNvbYIPc29ja2V0dG9vbHMuY29tMA4GA1UdDwEB/wQE
AwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwgZsGA1UdHwSBkzCB
kDBGoESgQoZAaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL1JhcGlkU1NMVExTRFZS
U0FNaXhlZFNIQTI1NjIwMjBDQS0xLmNybDBGoESgQoZAaHR0cDovL2NybDQuZGln
aWNlcnQuY29tL1JhcGlkU1NMVExTRFZSU0FNaXhlZFNIQTI1NjIwMjBDQS0xLmNy
bDA+BgNVHSAENzA1MDMGBmeBDAECATApMCcGCCsGAQUFBwIBFhtodHRwOi8vd3d3
LmRpZ2ljZXJ0LmNvbS9DUFMwgYUGCCsGAQUFBwEBBHkwdzAkBggrBgEFBQcwAYYY
aHR0cDovL29jc3AuZGlnaWNlcnQuY29tME8GCCsGAQUFBzAChkNodHRwOi8vY2Fj
ZXJ0cy5kaWdpY2VydC5jb20vUmFwaWRTU0xUTFNEVlJTQU1peGVkU0hBMjU2MjAy
MENBLTEuY3J0MAkGA1UdEwQCMAAwggEDBgorBgEEAdZ5AgQCBIH0BIHxAO8AdQBG
pVXrdfqRIDC1oolp9PN9ESxBdL79SbiFq/L8cP5tRwAAAXgT4DG/AAAEAwBGMEQC
IAqVL0zEFgWE9gPa7/a6cbd9Shes0vEK5dlaHtsjwiW4AiBCxvQWEST5Q11yIFh3
4cG2p0WajpGxe/795aa2qZpL/AB2ACJFRQdZVSRWlj+hL/H3bYbgIyZjrcBLf13G
g1xu4g8CAAABeBPgMcwAAAQDAEcwRQIgRZfMsthLAIrJiHJadjsgpAcS2FVMq7Gc
vYVwPfclkx8CIQDhAdg1OnZbmes1nGThohxxN0u2d4x/6EASO0DIpoW2vDANBgkq
hkiG9w0BAQsFAAOCAQEAafBObl15sae12Df7i0ZvG8c/LdTV894Q3lIe8OMxAoB7
7w5tj1SwnRKFczLw3z14eSFyVQBcXSWH40DDXWzk2h02ixd4PqETJfpuXpMsY3xR
F5Zsp/KdxTkK2ej9CZgVgdKTUWCsm/kx945Uy9zvnZPCZRy4ZQwqAJwpIOkMRIVu
yLi3Gg1mWgxqJxG6ZohVg16tBsQsttGeuEP5ry9KJ8U4OFanbapDN+l08I6BMidj
8bE7J1wersEIAm9nR0m7ZT8xL4Kn6H7YlPfnmlH7q8FWNI4a2U5e94LJ5g7ZBVc4
w4GjK3JkNfNGOnVofExNLy/nl4nuvZslf7menZAfxQ==
-----END CERTIFICATE-----
subject=CN = *.sockettools.com

issuer=C = US, O = DigiCert Inc, CN = RapidSSL TLS DV RSA Mixed SHA256 2020 CA-1

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3628 bytes and written 316 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 6AB66FE6271DE030C87115D362D239CBF87E8FF77BA8C414B628784AADD235A3
    Session-ID-ctx:
    Master-Key: 98B624C4D328D7471F9CE3319ECA1BE96B02E0540720460B24E1C0C39733C75058F69451E26C1FD6A7733BE53F5D9103
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - a7 d7 0e 1c c0 16 8e 36-64 f1 43 98 36 fc 1c f7   .......6d.C.6...
    0010 - 9f f1 7c 7a ba ee 33 f3-e0 f2 57 14 6f 84 f1 9f   ..|z..3...W.o...
    0020 - cc fe cd e6 83 35 47 12-1b b9 04 c9 1d c0 06 25   .....5G........%
    0030 - 52 39 de 40 20 55 a5 39-6d 9b 7f 49 54 10 59 77   R9.@ U.9m..IT.Yw
    0040 - c4 39 57 ea bb 00 d8 8c-46 a0 19 a6 cb 9e 4a 1d   .9W.....F.....J.
    0050 - 16 f8 38 7c 63 fa 75 aa-ea 1a e7 16 e3 1b da 7b   ..8|c.u........{
    0060 - b3 63 ab b7 8b c6 23 13-4b ef ff 04 e8 3d 85 1d   .c....#.K....=..
    0070 - fd ef 17 54 d8 53 7e e5-37 00 2f 65 e9 13 42 4d   ...T.S~.7./e..BM
    0080 - 48 9f 88 59 4c 48 51 38-b7 e2 7b a3 2a 9c c0 45   H..YLHQ8..{.*..E
    0090 - 29 b3 b9 88 8f 38 23 c0-b2 b7 99 8d 7c 75 c5 79   )....8#.....|u.y
    00a0 - 93 5c 8f e1 5d 7b 52 0b-34 bb 5c 29 e3 58 9e 43   .\..]{R.4.\).X.C
    00b0 - 12 90 ad 30 7e 69 b0 91-35 73 e3 a2 ae b8 3b 44   ...0~i..5s....;D
    00c0 - e1 37 49 f1 fe ed d3 af-80 a1 ae bd 51 1f b4 3f   .7I.........Q..?
    00d0 - c2 e1 ec d8 ca d1 12 46-cb ce 1e ce 2f ba fa d8   .......F..../...

    Start Time: 1633638795
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes
---
closed

From SSL Labs I had the following:

Path #1: Trusted
1	Sent by server	redstonemail.com
Fingerprint SHA256: a9d01b2b9b62775aad31c987f2e7330544292b6d98aca9af8f6145f325853101
Pin SHA256: S6za4w3CordthXlSg2R/54Dct7AqyaxVzx6j/iEZjwA=
RSA 2048 bits (e 65537) / SHA256withRSA
2	Sent by server	R3
Fingerprint SHA256: 67add1166b020ae61b8f5fc96813c04c2aa589960796865572a3c7e737613dfd
Pin SHA256: jQJTbIh0grw0/1TkHSumWb+Fs0Ggogr621gT3PvPKG0=
RSA 2048 bits (e 65537) / SHA256withRSA
3	In trust store	ISRG Root X1   Self-signed
Fingerprint SHA256: 96bcec06264976f37460779acf28c5a7cfe8a3c0aae11a8ffcee05c0bddf08c6
Pin SHA256: C5+lpZ7tcVwmwQIMcRtPbsQtWLABXhQzejna0wHFr8M=
RSA 4096 bits (e 65537) / SHA256withRSA
Path #2: Not trusted (invalid certificate [Fingerprint SHA256: 0687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739])
1	Sent by server	redstonemail.com
Fingerprint SHA256: a9d01b2b9b62775aad31c987f2e7330544292b6d98aca9af8f6145f325853101
Pin SHA256: S6za4w3CordthXlSg2R/54Dct7AqyaxVzx6j/iEZjwA=
RSA 2048 bits (e 65537) / SHA256withRSA
2	Sent by server	R3
Fingerprint SHA256: 67add1166b020ae61b8f5fc96813c04c2aa589960796865572a3c7e737613dfd
Pin SHA256: jQJTbIh0grw0/1TkHSumWb+Fs0Ggogr621gT3PvPKG0=
RSA 2048 bits (e 65537) / SHA256withRSA
3	Sent by server	ISRG Root X1
Fingerprint SHA256: 6d99fb265eb1c5b3744765fcbc648f3cd8e1bffafdc4c2f99b9d47cf7ff1c24f
Pin SHA256: C5+lpZ7tcVwmwQIMcRtPbsQtWLABXhQzejna0wHFr8M=
RSA 4096 bits (e 65537) / SHA256withRSA
4	In trust store	DST Root CA X3   Self-signed
Fingerprint SHA256: 0687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739
Pin SHA256: Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys=
RSA 2048 bits (e 65537) / SHA1withRSA
Valid until: Thu, 30 Sep 2021 14:01:15 UTC
EXPIRED
Weak or insecure signature, but no impact on root certificate

Is the 2nd chain going to affect my ability to connect to remote secure connections?

^TYPO^

sorry I have been up long time.

:confused:
The chain provided as a server is not relevant when that server connects to others as a client.

I know the feeling :+1: :coffee: :candy:
[Been there + Done that]

so technically things should be working now? correct?

Maybe...
Some systems may not like seeing the X3 (expired cert) in the chain.
If you are not serving any older Android devices, you are probably better off with the shorter chain.

openssl s_client -connect redstonemail.com:443 -servername redstonemail.com | head -n 22
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = redstonemail.com
verify return:1
CONNECTED(00000005)
---
Certificate chain
 0 s:CN = redstonemail.com
   i:C = US, O = Let's Encrypt, CN = R3
 1 s:CN = redstonemail.com
   i:C = US, O = Let's Encrypt, CN = R3
 2 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
 3 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
---

Now that's:

leaf > R3
R3 > X1
X1 > X3

You could just use:

leaf > R3
R3 > X1

lol .... so edit the .pem file?

openssl s_client -tls1_2 -connect app.allocadence.com:443 seems to connect however using an Http Socket it does not. must the http socket have a specific option enabled?

Which version of OpenSSL does that client use?
Does the socket rely on PHP or any other program specific libraries?
Does that Http Socket program have any updates/pacthes?

OpenSSL 1.1.1 11 Sep 2018.
Yes I am running this through a cakePHP framework. Looking inside the Socket function for the framework I found:

/**
 * Contains all the encryption methods available
 *
 * @var array
 */
        protected $_encryptMethods = array(
                // @codingStandardsIgnoreStart
                'sslv2_client' => STREAM_CRYPTO_METHOD_SSLv2_CLIENT,
                'sslv3_client' => STREAM_CRYPTO_METHOD_SSLv3_CLIENT,
                'sslv23_client' => STREAM_CRYPTO_METHOD_SSLv23_CLIENT,
                'tls_client' => STREAM_CRYPTO_METHOD_TLS_CLIENT,
                'sslv2_server' => STREAM_CRYPTO_METHOD_SSLv2_SERVER,
                'sslv3_server' => STREAM_CRYPTO_METHOD_SSLv3_SERVER,
                'sslv23_server' => STREAM_CRYPTO_METHOD_SSLv23_SERVER,
                'tls_server' => STREAM_CRYPTO_METHOD_TLS_SERVER
                // @codingStandardsIgnoreEnd
        );

It may need an update.
Might be missing the new X1 cert...
Might be using older/included TLS libraries...

$this->enableCrypto('tls', 'client');

I am running Ubuntu 18 and my packages are up to date. Would the TLS functions the PHP framework be the same? I upgraded this server from 14->16->18 this past week. Is there some caveat of 18.04 that I am ignorant on? (like the /lib/systemd/system)

Not necessarily.
And I would think not, since it doesn't connect.

No.
Ensure you have it updated.
apt update
apt-get update
[yes both - don't ask]
apt list --upgradable
apt install ca-certificates
upgrade-ca-certificates

TYVM, I will look at upgrading the framework..... I appreciate your time. Let me know if your services are for hire! Would probably take you 5 minutes lol.

I'm retired form all this - LOL
You can buy me a beer if you like :beers:

1 Like

I will buy you a keg if you can get this company up and running again.
Am going to ensure system up to date once activity on the server dies down.

You could also try using another completely different trust chain - from one of the other free ACME protocol friendly CAs.
Doing that would tell us more about what the problem might be.

upgrade-ca-certifcates

typo

update-ca-certifcates
:slight_smile: