Reach rate-limits


#1

I have nginx problems while move domain lp.школатрейдера.рф to other server and delete all recently received certs. And reach rate-limits ((. I still need the letsencrypt certificate. How can I speed up the window to get cert?

Thanx


#2

Hi @kons,

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

Can you additionally share the exact rate limit error message you’re receiving? If its the failed validations rate limit that you’re hitting it will automatically clear itself after 1 hour. You could also use the staging environment to debug your problem in the meantime.


#3

Ou, thanks for replying.

My domain is: lp.школатрейдера.рф - it`s in punycode

I ran this command:./certbot-auto certonly --webroot --agree-tos --email mail@domain.com -w /var/www/domain/data/www/lpacademy -d lp.школатрейдера.рф -d www.lp.школатрейдера.рф
It produced this output:Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate An unexpected error occurred:
There were too many requests of a given type :: Error finalizing order :: too many certificates already issued for exact set of domains: lp.школатрейдера.рф,www.lp.школатрейдера.рф: see https://letsencrypt.org/docs/rate-limits/
Please see the logfiles in /var/log/letsencrypt for more details.

My web server is (include version):nginx /1.12.2

The operating system my web server runs on is (include version):debian 3.16.7

My hosting provider, if applicable, is: ns.bpfcom.net

I can login to a root shell on my machine - yes

I’m using a control panel to manage my site - no

certbot 0.31.0

Error finalizing order: There were too many request of given type: too many request already issued for exact set of domain lp.школатрейдера.рф www.lp.школатрейдера.рф


#4

Hi @Kons,

there is a certificate, created today ( https://check-your-website.server-daten.de/?q=lp.школатрейдера.рф ):

CN=lp.xn--80aaldbwei0awes7e.xn--p1ai
	14.02.2019
	15.05.2019
expires in 90 days	lp.школатрейдера.рф (lp.xn--80aaldbwei0awes7e.xn--p1ai), 
www.lp.школатрейдера.рф (www.lp.xn--80aaldbwei0awes7e.xn--p1ai) - 2 entries

So use this certificate 60 - 85 days.

If you need the same certificate with another server, copy the private and the public key.

You have created 5 identical certificates today, one is used.

https://transparencyreport.google.com/https/certificates?cert_search_auth=&cert_search_cert=p:bHAueG4tLTgwYWFsZGJ3ZWkwYXdlczdlLnhuLS1wMWFpOmZhbHNlOmZhbHNlOjpFQUU9&cert_search=include_expired:false;include_subdomains:false;domain:lp.xn--80aaldbwei0awes7e.xn--p1ai&lu=cert_search_cert


#5

Yes, I just need the same keys, because I (crooked hands) physically deleted keys them from letsencrypt/live/ directory after nginx accepted them. It turns out that this certificate will work until nginx is restarted. That is, I need fullchain.pem and privkey.pem again


#6

The rate limit is fixed.

So you have two options.

  • Don’t restart your server in the next 7 days
  • create certificates with different sets of domain names

Your current certificate has two domain names

lp.xn--80aaldbwei0awes7e.xn--p1ai
www.lp.xn--80aaldbwei0awes7e.xn--p1ai

There you have hitted the limit -> next certificate in 7 days.

But you can create one certificate with

lp.xn--80aaldbwei0awes7e.xn--p1ai

as domain name, one certificate with

www.lp.xn--80aaldbwei0awes7e.xn--p1ai

So you need two different vHosts to use these certificates.

But: One certificate, not more then 4. Because there is already one certificate with

lp.xn--80aaldbwei0awes7e.xn--p1ai

#7

Thanks, i shall do so.


#8

How much did you delete? There are two copies of the keys saved in /etc/letsencrypt/archive/ and /etc/letsencrypt/keys/. If you only deleted /etc/letsencrypt/live/, you can fix it.


#9

Also in Linux you can usually access copies of files that processes have open by looking in /proc/[pid]/fd, even if the files have been unlinked from the filesystem.

$ echo hello > file
$ cat > holdopenfd.py <<foo
> #!/usr/bin/env python
> import os
> print(os.getpid())
> f = open("file")
> import time
> time.sleep(10)
> foo
$ python holdopenfd.py &
[1] 24071
24071
$ rm file
$ cat file
cat: file: No such file or directory
$ cat /proc/24071/fd/3 
hello
$ sleep 10
[1]+  Done                    python holdopenfd.py
$ cat file
cat: file: No such file or directory

This might not be necessary in this case because the much simpler approach suggested by @mnordhoff may suffice.


#10

@joohoi pointed out that nginx might not actually keep the certificate and key files open while running, since it could read them once at startup and then close them. I confirmed that this is true in practice, so my advice above won’t actually work for this application! (It could work in some other situations where you need to recover a file’s contents, but not this one.)


closed #11

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.