Rate limited without requests

rhal1 · November 6, 2023, 9:01am

Hi.

I have a strange issue. My certificate expired and when requesting a new one I was rate limited:

# certbot renew --cert-name mail.hallinet.se

Failed to renew certificate mail.hallinet.se with error: urn:ietf:params:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new order :: too many certificates (5) already issued for this exact set of domains in the last 168 hours: mail.hallinet.se, retry after 2023-11-07T00:47:37Z: see https://letsencrypt.org/docs/duplicate-certificate-limit/

This is the first time requesting a renewal for that specific domain. I only have one certificate installed and it was created 2023-08-07.

My first thought was that maybe my auto-renewal messed something up. So I disabled it and waited until the next day(today) and tried again, but was still rate limited.

What could cause this rate limit?

orangepizza · November 6, 2023, 9:10am

there are a dozen of certificates issued every 2 days: what happened to them?

rhal1 · November 6, 2023, 11:09am

I don't know. I've been using crontab running:

20 00 * * 7 /usr/bin/certbot renew --quiet

and never had any issues. This is the first time this specific certificate had required a renewal.

Trying to look through the logs:

2023-10-08 10:51:14,363:ERROR:certbot._internal.renewal:Failed to renew certificate mail.hallinet.se with error: [Errno 17] File exists: '/etc/letsencrypt/archive/mail.hallinet.se/privkey2.pem'
2023-10-08 10:51:14,368:DEBUG:certbot._internal.renewal:Traceback was:
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/_internal/renewal.py", line 475, in handle_renewal_request
    main.renew_cert(lineage_config, plugins, renewal_candidate)
  File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 1386, in renew_cert
    renewed_lineage = _get_and_save_cert(le_client, config, lineage=lineage)
  File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 122, in _get_and_save_cert
    renewal.renew_cert(config, domains, le_client, lineage)
  File "/usr/lib/python3/dist-packages/certbot/_internal/renewal.py", line 341, in renew_cert
    lineage.save_successor(prior_version, new_cert, new_key.pem, new_chain, config)
  File "/usr/lib/python3/dist-packages/certbot/_internal/storage.py", line 1139, in save_successor
    with util.safe_open(target["privkey"], "wb", chmod=BASE_PRIVKEY_MODE) as f:
  File "/usr/lib/python3/dist-packages/certbot/util.py", line 224, in safe_open
    fd = filesystem.open(path, os.O_CREAT | os.O_EXCL | os.O_RDWR, *open_args)
  File "/usr/lib/python3/dist-packages/certbot/compat/filesystem.py", line 208, in open
    return os.open(file_path, flags, mode)
FileExistsError: [Errno 17] File exists: '/etc/letsencrypt/archive/mail.hallinet.se/privkey2.pem'

After that it seems that the script kept running, requesting certificates at random times during the day. But no certificate files were stored anywhere.

Now I have removed the line in crontab and deleted the certificate. That should stop the requests unless someone else is somehow requesting certificates for my domain.

The weird thing is that I removed the crontab line yesterday and was still rate limited today.

webprofusion · November 6, 2023, 11:21am

Looks like it's failing to write the new private key file, so the failure counts as a failed attempt overall. It might be caused by running certbot from different accounts? Might want to check all the required accounts have write permissions for the symlinks and files.

system · December 6, 2023, 11:22am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.