Reach Rate Limit

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
tbbt.xenbox.fr

I ran this command:
certbot certonly --webroot -m XXXXX@gmail.com -d jirafeau.tbbt.xenbox.fr --agree-tos

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Cert is due for renewal, auto-renewing...
Renewing an existing certificate for jirafeau.tbbt.xenbox.fr
An unexpected error occurred:
There were too many requests of a given type :: Error creating new order :: too many certificates (5) already issued for this exact set
of domains in the last 168 hours: jirafeau.tbbt.xenbox.fr: see Rate Limits - Let's Encrypt
Please see the logfiles in /var/log/letsencrypt for more details.

My web server is (include version): Apache/2.4.48

The operating system my web server runs on is (include version):
Linux 5.10.0-8-amd64 #1 SMP Debian 5.10.46-4 (2021-08-03) x86_64 GNU/Linux

My hosting provider, if applicable, is: none

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.12.0

2

Hi @bib and welcome to the LE community forum :slight_smile:

Please show the output of:
certbot certificates

1 Like
3 
# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewal configuration file /etc/letsencrypt/renewal/jirafeau.tbbt.xenbox.fr-0001.conf produced an unexpected error: expected /etc/letsencrypt/live/jirafeau.tbbt.xenbox.fr-0001/cert.pem to be a symlink. Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: bib.tbbt.xenbox.fr
    Serial Number: 39d62c0d90610f364cc827ebf7564f3e85e
    Key Type: RSA
    Domains: bib.tbbt.xenbox.fr
    Expiry Date: 2022-01-24 20:48:52+00:00 (VALID: 40 days)
    Certificate Path: /etc/letsencrypt/live/bib.tbbt.xenbox.fr/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/bib.tbbt.xenbox.fr/privkey.pem
  Certificate Name: gitlab.tbbt.xenbox.fr
    Serial Number: 4bb71241ca48256800438fdf895d645c0bf
    Key Type: RSA
    Domains: gitlab.tbbt.xenbox.fr
    Expiry Date: 2021-11-29 06:27:52+00:00 (INVALID: EXPIRED)
    Certificate Path: /etc/letsencrypt/live/gitlab.tbbt.xenbox.fr/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/gitlab.tbbt.xenbox.fr/privkey.pem
  Certificate Name: jirafeau.tbbt.xenbox.fr
    Serial Number: 4cfcf921020288972d015cb20572b9bd839
    Key Type: RSA
    Domains: jirafeau.tbbt.xenbox.fr
    Expiry Date: 2021-11-25 08:57:08+00:00 (INVALID: EXPIRED)
    Certificate Path: /etc/letsencrypt/live/jirafeau.tbbt.xenbox.fr/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/jirafeau.tbbt.xenbox.fr/privkey.pem
  Certificate Name: paste.tbbt.xenbox.fr
    Serial Number: 3a3654b7a2c20388f8f1992611b7fea9603
    Key Type: RSA
    Domains: paste.tbbt.xenbox.fr
    Expiry Date: 2022-02-17 07:40:56+00:00 (VALID: 63 days)
    Certificate Path: /etc/letsencrypt/live/paste.tbbt.xenbox.fr/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/paste.tbbt.xenbox.fr/privkey.pem
  Certificate Name: tbbt.xenbox.fr
    Serial Number: 4ca45e889cd879afc35cfff2f7985ed0d4f
    Key Type: RSA
    Domains: tbbt.xenbox.fr
    Expiry Date: 2022-01-24 20:48:59+00:00 (VALID: 40 days)
    Certificate Path: /etc/letsencrypt/live/tbbt.xenbox.fr/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/tbbt.xenbox.fr/privkey.pem
  Certificate Name: wiki.tbbt.xenbox.fr
    Serial Number: 47ce8acfd1f045271292f25f948ee6b554c
    Key Type: RSA
    Domains: wiki.tbbt.xenbox.fr
    Expiry Date: 2022-02-17 15:41:33+00:00 (VALID: 64 days)
    Certificate Path: /etc/letsencrypt/live/wiki.tbbt.xenbox.fr/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/wiki.tbbt.xenbox.fr/privkey.pem

The following renewal configurations were invalid:
  /etc/letsencrypt/renewal/jirafeau.tbbt.xenbox.fr-0001.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4

https://paste.debian.net/hidden/e870027f/

5

That's strange.
Four active certs and two expired certs.
Cross-checking, I see the same IP used in active and expired.
So, there must (now) be something "broken" within your system (or HTTP path thereto).

Let's start unraveling this mystery with the output of:
sudo apachectl -t -D DUMP_VHOSTS

1 Like
6

https://paste.debian.net/hidden/643de815/

7

thanks for the help

1 Like
8

The expired cert "gitlab.tbbt.xenbox.fr" is no longer covered within the Apache config.
If it is no longer needed, you can remove it with:
certbot delete --cert-name gitlab.tbbt.xenbox.fr
If it is needed, then you would first have to recreate the vhost

The expired cert "jirafeau.tbbt.xenbox.fr" is being served by Apache.
[and I see that is the one included in your original post]
So, let's have a look at the vhost file for it:
/etc/apache2/sites-enabled/jirafeau.conf

1 Like
9

gitlab.tbbt.xenbox.fr is needed but it is on a docker

for jirafeau I have 2 files :
/etc/apache2/sites-enabled/jirafeau.conf : Debian Pastezone
/etc/apache2/sites-enabled/jirafeau-ssl.conf : Debian Pastezone

10

Ok the HTTP block is very clean.
Let's test the access with:
echo "test-file-1" > /var/www/Jirafeau/test-file-1

And also test the expected challenge path with:
mkdir -p /var/www/Jirafeau/.well-known/acme-challenge/
echo "test-file-2" > /var/www/Jirafeau/.well-known/acme-challenge/test-file-2

We can then try them (from the Internet) via:
http://jirafeau.tbbt.xenbox.fr/test-file-1
http://jirafeau.tbbt.xenbox.fr/.well-known/acme-challenge/test-file-2

1 Like
11

ok, done and tested, it works

12

Yes, perfect thus far.

Now we can try a test run at getting a cert, with:
certbot certonly --webroot -w /var/www/Jirafeau/ -d jirafeau.tbbt.xenbox.fr --dry-run

1 Like
13

I saw that :

# ls /etc/letsencrypt/renewal
bib.tbbt.xenbox.fr.conf     jirafeau.tbbt.xenbox.fr-0001.conf  paste.tbbt.xenbox.fr.conf  wiki.tbbt.xenbox.fr.conf
gitlab.tbbt.xenbox.fr.conf  jirafeau.tbbt.xenbox.fr.conf       tbbt.xenbox.fr.conf

there is jirafeau.tbbt.xenbox.fr-0001.conf and jirafeau.tbbt.xenbox.fr.conf

is that correct ?

14

the dry-run works
https://paste.debian.net/hidden/329a56a7/

15

No that is NOT expected.

1 Like
16

try:
certbot delete --cert-name jirafeau.tbbt.xenbox.fr-0001
certbot delete --cert-name jirafeau.tbbt.xenbox.fr

then show
certbot certificates
and
ls -ltr /etc/letsencrypt/renewal
and
find /etc/letsencrypt/ -name *000*

1 Like
17

for the cerbot delete : Debian Pastezone

certbot certificates : Debian Pastezone

# ls -ltr /etc/letsencrypt/renewal
total 20
-rw-r--r-- 1 root root 549 août  31 09:27 gitlab.tbbt.xenbox.fr.conf
-rw-r--r-- 1 root root 590 oct.  26 23:48 bib.tbbt.xenbox.fr.conf
-rw-r--r-- 1 root root 558 oct.  26 23:49 tbbt.xenbox.fr.conf
-rw-r--r-- 1 root root 595 nov.  19 09:41 paste.tbbt.xenbox.fr.conf
-rw-r--r-- 1 root root 593 nov.  19 17:41 wiki.tbbt.xenbox.fr.conf

and the find return nothing

19

If you don't need this expired cert:

  Certificate Name: gitlab.tbbt.xenbox.fr
    Serial Number: 4bb71241ca48256800438fdf895d645c0bf
    Key Type: RSA
    Domains: gitlab.tbbt.xenbox.fr
    Expiry Date: 2021-11-29 06:27:52+00:00 (INVALID: EXPIRED)
    Certificate Path: /etc/letsencrypt/live/gitlab.tbbt.xenbox.fr/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/gitlab.tbbt.xenbox.fr/privkey.pem

Please delete it, with:
certbot delete --cert-name gitlab.tbbt.xenbox.fr

1 Like
20

I'll need it, but I can fix these one later,
can I delete it and make it again later ?

21

Before we get you a real cert, with:

Let's have a look at the current HTTPS vhost config file...
I see:
#Include /etc/letsencrypt/options-ssl-apache.conf
Why was that excluded?

I also see double backslashes (should be single):

SSLCertificateKeyFile /etc/letsencrypt/live/jirafeau.tbbt.xenbox.fr//privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/jirafeau.tbbt.xenbox.fr//chain.pem

And why are you not using the new format (supported since 2.4.6)?:

SSLCertificateFile /etc/letsencrypt/live/jirafeau.tbbt.xenbox.fr/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/jirafeau.tbbt.xenbox.fr/privkey.pem

#SSLCertificateChainFile /etc/letsencrypt/live/jirafeau.tbbt.xenbox.fr/chain.pem

1 Like