Reach rate limit?

ikus060 · October 28, 2019, 1:32pm

My domain is:

I ran this command:
certbot renew --quiet --no-self-upgrade

It produced this output:
Attempting to renew cert (git.patrikdufresne.com) from /etc/letsencrypt/renewal/git.patrikdufresne.com.conf produced an unexpected error: urn:ietf:params:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new order :: too many certificates already issued for exact set of domains: git.patrikdufresne.com: see https://letsencrypt.org/docs/rate-limits/. Skipping.
Attempting to renew cert (demo.patrikdufresne.com) from /etc/letsencrypt/renewal/demo.patrikdufresne.com.conf produced an unexpected error: urn:ietf:params:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new order :: too many certificates already issued for exact set of domains: demo.patrikdufresne.com: see https://letsencrypt.org/docs/rate-limits/. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/git.patrikdufresne.com/fullchain.pem (failure)
/etc/letsencrypt/live/demo.patrikdufresne.com/fullchain.pem (failure)
2 renew failure(s), 0 parse failure(s)

My web server is (include version):
apache2 2.4.25-3+deb9u9

The operating system my web server runs on is (include version):
Debian Stretch

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 0.28.0

I’m faced with this issue for some time now. The renew command is ran once a day at 3:30 EST and it’s failing most of the time.

May I run this command every day ?
Could I get more info about witch rate limit get reached ?
My certificate expire on Nov 14, I really want to get this fixed before

JuergenAuer · October 28, 2019, 2:02pm

Hi @ikus060

checking your domain there are some certificates - https://check-your-website.server-daten.de/?q=git.patrikdufresne.com#ct-logs

Issuer	not before	not after	Domain names	LE-Duplicate	next LE
Let's Encrypt Authority X3	2019-10-28	2020-01-26	git.patrikdufresne.com - 1 entries	duplicate nr. 5	next Letsencrypt certificate: 2019-10-28 16:35:50
Let's Encrypt Authority X3	2019-10-28	2020-01-26	git.patrikdufresne.com - 1 entries	duplicate nr. 4
Let's Encrypt Authority X3	2019-10-22	2020-01-20	git.patrikdufresne.com - 1 entries	duplicate nr. 3
Let's Encrypt Authority X3	2019-10-22	2020-01-20	git.patrikdufresne.com - 1 entries	duplicate nr. 2
Let's Encrypt Authority X3	2019-10-21	2020-01-19	git.patrikdufresne.com - 1 entries	duplicate nr. 1
Let's Encrypt Authority X3	2019-10-21	2020-01-19	git.patrikdufresne.com - 1 entries

Why don't you use one of these?

Your configuration is buggy - a redirect https -> http.

Domainname	Http-Status	redirect	Sec.	G
• http://git.patrikdufresne.com/ 24.37.98.230	302	ikus-soft · GitLab Html is minified: 100,00 %	0.313	D

• ikus-soft · GitLab GZip used - 8027 / 60461 - 86,72 %	200	Html is minified: 103,07 %	0.594	H

• https://git.patrikdufresne.com/ 24.37.98.230	302	ikus-soft · GitLab Html is minified: 100,00 %	4.124	F

What says

nginx -T

mnordhoff · October 28, 2019, 7:41pm

It's recommended to run it at random times twice a day -- in fact, the Certbot package should already have set up a systemd timer doing just that.

certbot renew should only actually renew your certificates when it's necessary, when they will expire in less than 30 days (by default). If it's issuing duplicate certificates three times a day, something is wrong.

Can you post the output of "sudo certbot certificates"?

ikus060 · October 29, 2019, 1:00pm

It’s recommended to run it at random times twice a day – in fact, the Certbot package should already have set up a systemd timer doing just that.

Ok, I found the systemd timer. So cronjob should not be required. I will remove it.

certbot renew should only actually renew your certificates when it’s necessary

This is my understanding. Yep. So I’m still wondering why I’m reaching the ratelimit ! I shouldbe able to run cerbot renew many time without issues.

If it’s issuing duplicate certificates three times a day, something is wrong.

I saw this in the comments above. Wasn’t sure if it’s related.

Can you post the output of “ sudo certbot certificates ”?

Here it is.
I think the cerbot renew worked to day

$ sudo certbot certificates
[sudo] password for ikus060: 
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: git.patrikdufresne.com
Domains: git.patrikdufresne.com
Expiry Date: 2019-11-12 18:38:50+00:00 (VALID: 14 days)
Certificate Path: /etc/letsencrypt/live/git.patrikdufresne.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/git.patrikdufresne.com/privkey.pem
  Certificate Name: nexus.patrikdufresne.com
Domains: nexus.patrikdufresne.com
Expiry Date: 2020-01-12 00:57:28+00:00 (VALID: 74 days)
Certificate Path: /etc/letsencrypt/live/nexus.patrikdufresne.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/nexus.patrikdufresne.com/privkey.pem
  Certificate Name: www.minarca.net
Domains: www.minarca.net
Expiry Date: 2020-01-10 21:30:40+00:00 (VALID: 73 days)
Certificate Path: /etc/letsencrypt/live/www.minarca.net/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.minarca.net/privkey.pem
  Certificate Name: demo.patrikdufresne.com
Domains: demo.patrikdufresne.com
Expiry Date: 2019-11-12 18:38:26+00:00 (VALID: 14 days)
Certificate Path: /etc/letsencrypt/live/demo.patrikdufresne.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/demo.patrikdufresne.com/privkey.pem
  Certificate Name: registry.patrikdufresne.com
Domains: registry.patrikdufresne.com
Expiry Date: 2020-01-12 00:57:54+00:00 (VALID: 74 days)
Certificate Path: /etc/letsencrypt/live/registry.patrikdufresne.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/registry.patrikdufresne.com/privkey.pem
  Certificate Name: sonar.patrikdufresne.com
Domains: sonar.patrikdufresne.com
Expiry Date: 2019-12-25 18:11:11+00:00 (VALID: 57 days)
Certificate Path: /etc/letsencrypt/live/sonar.patrikdufresne.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/sonar.patrikdufresne.com/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

I looked into the let-encrypt log since it ran this morning. I notice a problem with the renewal of git.patrikdufresne.com. It creating the files under /etc/letsencrypt/archive/git.patrikdufresne.com/cert2.pem. But the symbolic links in /etc/letsencrypt/live/git.patrikdufresne.com/ are pointing to cert1.pem instead.

So basically, the cert are there on the server, but not used since the symbolic link is pointing to the wrong one.

mnordhoff · October 29, 2019, 9:31pm

That would explain it, but shouldn’t happen.

Can you post “sudo ls -alR /etc/letsencrypt/{archive,live,renewal}”?

schoen · October 29, 2019, 9:43pm

This is one of the weird Certbot behaviors that we’ve never managed to get to the bottom of somehow.

@ikus060, did you modify anything in /etc/letsencrypt by hand, such as trying to rename certificate-related files?

ikus060 · October 29, 2019, 9:55pm

I’m not the only one with access to the server and certbot get configured using ansible. So I can’t tell if anything get edited.

system · November 28, 2019, 9:55pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.