Rate-Limited: How to Recover Deleted Certificates?

My new renewed certificates were removed after backup, and I could not crate new certificate because of the error:
"Error creating new order :: Too many certificates have already been issued for the exact domain group."

So I need to recover the recently issued certificate, is there a way to do that?


Welcome to the Let's Encrypt Community :slightly_smiling_face:

Did you delete the private keys for all of the certificates you requested?

Renewals are treated specially: they don’t count against your Certificates per Registered Domain limit, but they are subject to a Duplicate Certificate limit of 5 per week. Note: renewals used to count against your Certificate per Registered Domain limit until March 2019, but they don’t anymore. Exceeding the Duplicate Certificate limit is reported with the error message too many certificates already issued for exact set of domains.

A certificate is considered a renewal (or a duplicate) of an earlier certificate if it contains the exact same set of hostnames, ignoring capitalization and ordering of hostnames. For instance, if you requested a certificate for the names [www.example.com, example.com], you could request four more certificates for [www.example.com, example.com] during the week. If you changed the set of hostnames by adding [blog.example.com], you would be able to request additional certificates.

Renewal handling ignores the public key and extensions requested. A certificate issuance can be considered a renewal even if you are using a new key.



I deleted all, I have the old private keys of 90 days ago, guess they not useful?


Nope. Did you make any backups?


Figure out what you did wrong that:

1- issued 5 certificates in the past week for those domains.
2- deleted all your existing certs

those are two big problems with your setup. you should not have done either. address that problem first, because you will otherwise repeat it.

to get around this issue for now:

Inspect /etc/letsencrypt/archive to ensure you do not still have the old certificates available there.

if that does not work:

  1. Try using http://crt.sh/ to see your domain's certificate history; that can help you figure out when the window expires.

  2. You can get around this ratelimit by requesting a new certificate with an additional subdomain on it. e.g. just set up foo.example.com and add that to your certificate. you'll be able to get a certificate for that combination.


Yes, but last backup made two days ago with the expired certificate.


There is no path /etc/letsencrypt/archive in my server and I'm sure I removed all new issued certificates.

  1. The problem is that wildcard certificate, as I understand its only accept domain.tld and *domain.tld

Did you use Certbot or something else? what version of the software? If you use certbot, the live/active certs are just symlinks to an archive. many times, people delete those but the actual certs are still on the machine.

For a wildcard certificate to work properly, you need to have both the "bare" domain and the wildcard domain on it (because the wildcard does not work on the bare domain).

But, you can have any mix of domains on a cert. I've had ones with multiple domains and a wildcard on it.

If you request a new cert for:

  • domain.tld
  • *.domain.tld
  • foo.domain.tld

it should bypass the restriction you are facing. There is a small chance Boulder (the system that runs LetsEncrypt's API) will not like an order with both *.domain.tld and foo.domain.tld on it -- but I haven't heard of that before.


But again I should stress - you need to figure out how/why your system requested 5 identical certificates in the past week. There is an error in your automatic systems, your server administration, or how you are leveraging LetsEncrypt.

You should not be experiencing this problem. Adding a domain to a cert is a temporary workaround to get your system back online, until you can fix this.


I use ACME v2 on CentOS 7 according to this tutorial:

Ok, before its not worked because I tried another order foo.domain.tld and *.domain.tld.

Because my system does not support wildcard, I usually working with DNS in manual mode and this time after I set up new issued certificates, the site still worked with an old expired certificate(maybe because caching, I still haven't figured it out), so I tried to repeat my actions in one day, according to https://crt.sh/ x10 times.


I'm not sure about this.

You probably didn't restart your webserver after acquiring the new certificate, which is a common oversight in "manual mode".


Oh sorry, I forgot to to specify that CWP7 on CentOS7 does not support wildcard, not the CentOS7 itself.

Probably you right! Thanks!!


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.