Renew certificate with expanding domains


Hello all,

I’m trying ro renew one of the certificates and expanding this with a subdomain.
The only thing is that the client says There were too many requests of a given type :: Error creating new cert :: Too many certificates already issued.

The command that i use is ./letsencrypt-auto certonly --renew-by-default -c /etc/letsencrypt/cli.ini

and this is how my cli.ini looks like

# This is an example of the kind of things you can do in a configuration file.
# All flags used by the client can be configured here. Run Let's Encrypt with
# "--help" to learn more about the available options.

# Use a 4096 bit RSA key instead of 2048
rsa-key-size = 4096

# Uncomment and update to register with the specified e-mail address
#email =

# Uncomment and update to generate certificates for the specified
# domains.
domains =,

# Uncomment to use a text interface instead of ncurses
text = True
expand = True
# Uncomment to use the standalone authenticator on port 443
# authenticator = standalone
# standalone-supported-challenges = tls-sni-01

# Uncomment to use the webroot authenticator. Replace webroot-path with the
# path to the public_html / webroot folder being served by your web server.
authenticator = webroot
webroot-path = /home/httpd/default

What do i wrong ? or is it not possible to renew the certificate with adding new subdomains due the limits?


You have presumably obtained 5 certificates for that domain in the last 7 days, so yes you have hit the rate limits.

You can add new subdomains ( up to 100 per certificate) whoever there is still a 5 certs / domain / 7 days limit


every command i try i get the same error.
is there a way to add this ? so yes how can i do that with the current limit


If you have exceeded the limit, all you can do is wait.

You can add subdomains to a certificate, which essentially produces a new certificate, which counts as part of that limit of 5 certs / domain / 7 days.

You can check at for the certificates you have already issued for your domain, and when they were.


If i use this cli.ini where is this cert kept and is it a san cert?


Things have changed a fair amount in the 9 months since the previous comment on this thread. Can I change things slightly by asking what you want to achieve ?


Oh sure, it’s the SAN cert for postfix and dovecot configuration thing. I am not understanding where the cert containing this certificate containing all domains is created when running a command like:
letsencrypt certony --webroot
–webroot-path /var/www/vhosts/ -d
–webroot-path /var/www/vhosts/domainvirtualhost1 -d domainvirtualhost1
–webroot-path /var/www/vhosts/domainvirtualhost2 -d domainvirtualhost2

The issue I have is all my domains are spread out with virtualmin so each resides in /home/domain/public_html locations where "domain is the name of the admin user created for that domain. It happens to match the domain without the .com on the end in my case. is located at /home/domain1/public_html for instance. the only common directory in the path is /home and no site for webroot to send to lets encrypt is locaqted there. Does that make sense? As i read this there has to be a common path as a parent with a site associated with it as in /var/www and /var/www/domain1

I have been at this for a lot of hours and tried numerous things. I have a dovecot file set up for each domain in conf.d and I think that’s covering dovecot but it’s becoming a spagetti mess and one SAN cert for dovecot and postfix would make me sleep better.

I parsed the command out like that so i could look at it in steps and it depends on a website in /var/www

My websites work fine and the certs are sym linked to /etc/letsencrypt/live/website for their cers


Your certs are in /etc/letsencrypt/live/YourDomain/

You might find the following thread useful for Dovecot.


yes i used his second suggestion and it works I did not see the fullchain part I must have been looking at a previous post of his. I am going to chage that.

As you pointed out the individual certs are located there and I use them for everything but postfix. they do not suport sni nor plan to. They say get a san cert or an ip for each domain. I have many domains so the SAN cert is my goal I just am not seeing how to create one single cert to cover all of the domains and where it would be stored for use. …
Seems dovecot could just use it too. Maybe i am just looking for the fullchain cert? I don’t grock the process here.

First time with letsencrypt but lessons not soon forgotten.


When you used

This will create a cert containing all 3 domains ( so those are all included in as SANs ). You need to include in all the domains that you want in the cert.

The certificate should be stored in /etc/letsencrypt/live/ in the above case.


Doesn’t that mess with letsencrpt auth check when it goes out and looks for a site at that location and finds nothing? I hacked something like this before and it failed. I’ll try it again. is there a way to check if it contains all?

Thanks a lot for the fast replies I’d love to go to bed with this working…

I will edit this out later… this is the exact command I will run and I should see the SAN cert in the first domain in /live right?


I don’t understand what you mean here.

try the command (where domain.crt is the certificate you want to check )

openssl x509 -in domain.crt -noout -text


openssl x509 -in domain.crt -noout -text | grep DNS

if you just want the SANS names.


I will edit this out later. this is the command i will run:

letsencrypt certony -n --webroot --webroot-path /home/linuxnuts/ssl_certificates -d -d --webroot-path /home/linuxnutz/ssl_certificates -d -d --webroot-path /home/midihipi/ssl_certificates -d -d

I am going to swack that into a terminal and see what shakes out of it.


You have a typo in “certony”, and you also haven’t got a matching set of --domains (-d) and --webroot-path (-w)


OK hey success and it even tells you where the new SAN cert is but you have to use the --expand flag if a cert already exists for any of the domains you want in it…nice


  • Congratulations! Your certificate and chain have been saved at
    /etc/letsencrypt/live/ Your cert
    will expire on 2017-02-06. To obtain a new or tweaked version of
    this certificate in the future, simply run certbot again. To
    non-interactively renew all of your certificates, run “certbot

  • If you like Certbot, please consider supporting our work by:

    Donating to ISRG / Let’s Encrypt:
    Donating to EFF:

Odd why would it be saved to the the second domains /live location. This might mess with the fact that my mail server is named


ahh but when i try and add to the string it fails and I get that ugly auth error I was getting earlier…

Type: unauthorized
Detail: Invalid response from

404 Not Found

Not Found



Have you defined the correct webroot for ? and if you place a file within “webroot”/.well-known/acme-challenge/test can you reach it in your browser ?

Also, please note there are rate limits - you can’t just keep getting certificates :wink: for testing, make sure you are using the staging server.


ok I am going to take a break I need some sleep I will pick this up in the morning. thanks for all your help. I am in the philippines so it’s quite late now. I checked it out and only have had two issued


Maybe there’s normally no web server listening for that site?


Good point. There is a website response from though.