Ratelimited immediately


#1

Hi. I have used letsencrypt before for my site. (https://b.myconfidant.com) I was just revamping it to use the new greenlock-express (https://git.daplie.com/Daplie/greenlock-express).
I had everything using the staging server until I got the new configuration working.
Then I switched to the prod server.
After switching to use the prod letsencrypt server, my site was still serving the fake certificate.
I deleted my letsencrypt certs and restarted my server.
Now it says I am rate limited.

{ type: ‘urn:acme:error:rateLimited’,
detail: ‘Error creating new cert :: Too many certificates already issued for exact set of domains: b.myconfidant.com’,
status: 429 }

How could I have possibly hit the rate limit? The max number of requests I could have sent is 2.


#2

The rate limit is 5 (or possibly 6) identical certificates over a rolling 7 day period:

https://letsencrypt.org/docs/rate-limits/

A number of certificates were issued for that exact set of names earlier this week:

https://crt.sh/?q=b.myconfidant.com

Indeed, some of them were issued moments apart.

There are also 15 or 20 other certificates issued in February that are still valid.

You should figure out how so many certificates were created, where they’ve gone, and how to avoid this in the future.

Maybe your staging environment should be using staging certificates instead of real ones? Or it issues a new certificate every deployment instead of saving them?

The best solution would be to find one of the old private keys and continue using it. (If you’ve lost the matching certificate itself, you can download it from one of the links above.)

If they’re all gone, this sounds silly, but you can evade the “identical set of names” rate limit by issuing a new certificate with b.myconfidant.com plus another name. It doesn’t have to be useful, just valid. useless-subdomain.myconfidant.com would work, if you set it up. Or anything else.


#3

Wow thank you for that wealth of information, and showing crt.sh to me. Now I know I can check that in the future.

This is quite strange behavior. I only have one box running this server, and I hadn’t touched it in a month until today. Must be a bug in the underlying certificate management software I am using. I’m just learning how all this works. Thanks again for your help.

-Kelly


#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.