Renewal fails - erroneously claims too many attempts

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: compaqportable.com

I ran this command: certbot renew

It produced this output:

# certbot renew

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Processing /etc/letsencrypt/renewal/compaqportable.com.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Cert is due for renewal, auto-renewing...

Plugins selected: Authenticator apache, Installer None

Renewing an existing certificate

Attempting to renew cert (compaqportable.com) from /etc/letsencrypt/renewal/compaqportable.com.conf produced an unexpected error: [Errno 17] File exists: '/etc/letsencrypt/archive/compaqportable.com/privkey3.pem'. Skipping.

All renewal attempts failed. The following certs could not be renewed:

/etc/letsencrypt/live/compaqportable.com/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

All renewal attempts failed. The following certs could not be renewed:

/etc/letsencrypt/live/compaqportable.com/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

1 renew failure(s), 0 parse failure(s)

**root@mail** : **~** # rm /etc/letsencrypt/archive/compaqportable.com/privkey3.pem

**root@mail** : **~** # certbot renew

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Processing /etc/letsencrypt/renewal/compaqportable.com.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Cert is due for renewal, auto-renewing...

Plugins selected: Authenticator apache, Installer None

Renewing an existing certificate

Attempting to renew cert (compaqportable.com) from /etc/letsencrypt/renewal/compaqportable.com.conf produced an unexpected error: urn:ietf:params:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new order :: too many certificates already issued for exact set of domains: compaqportable.com,mail.mymayday.com,www.compaqportable.com: see https://letsencrypt.org/docs/rate-limits/. Skipping.

All renewal attempts failed. The following certs could not be renewed:

/etc/letsencrypt/live/compaqportable.com/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

All renewal attempts failed. The following certs could not be renewed:

/etc/letsencrypt/live/compaqportable.com/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

1 renew failure(s), 0 parse failure(s)

My web server is (include version):

Server version: Apache/2.4.29 (Ubuntu)
Server built: 2019-08-26T13:41:23

The operating system my web server runs on is (include version):
Linux mail.mymayday.com 4.15.0-58-generic #64-Ubuntu SMP Tue Aug 6 11:12:41 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):
yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 0.31.0

More details:
I have been trying for several weeks (once a week) to renew this certificate, and always run into the same error. Need help to fix this.

2

Hi @mymayday

please read your error message:

Attempting to renew cert (compaqportable.com) from /etc/letsencrypt/renewal/compaqportable.com.conf produced an unexpected error: urn:ietf:params:acme:error:rateLimited :: 

There were too many requests of a given type :: Error creating new order :: 
too many certificates already issued for exact set of domains: compaqportable.com,mail.mymayday.com,www.compaqportable.com: 
see https://letsencrypt.org/docs/rate-limits/. Skipping.

Please read the link.

Checking your domain you have created a lot of new certificates - https://check-your-website.server-daten.de/?q=compaqportable.com

Issuer not before not after Domain names LE-Duplicate next LE
Let's Encrypt Authority X3 2019-09-04 2019-12-03 compaqportable.com, mail.mymayday.com, www.compaqportable.com - 3 entries duplicate nr. 3
Let's Encrypt Authority X3 2019-09-03 2019-12-02 compaqportable.com, mail.mymayday.com, www.compaqportable.com - 3 entries duplicate nr. 2
Let's Encrypt Authority X3 2019-09-02 2019-12-01 compaqportable.com, mail.mymayday.com, www.compaqportable.com - 3 entries duplicate nr. 1
Let's Encrypt Authority X3 2019-08-29 2019-11-27 compaqportable.com, mail.mymayday.com, www.compaqportable.com - 3 entries
Let's Encrypt Authority X3 2019-08-28 2019-11-26 compaqportable.com, mail.mymayday.com, www.compaqportable.com - 3 entries
Let's Encrypt Authority X3 2019-08-28 2019-11-26 compaqportable.com, mail.mymayday.com, www.compaqportable.com - 3 entries
Let's Encrypt Authority X3 2019-08-27 2019-11-25 compaqportable.com, mail.mymayday.com, www.compaqportable.com - 3 entries
Let's Encrypt Authority X3 2019-08-26 2019-11-24 compaqportable.com, mail.mymayday.com, www.compaqportable.com - 3 entries
Let's Encrypt Authority X3 2019-08-26 2019-11-24 compaqportable.com, mail.mymayday.com, vintagecomputing.net, www.compaqportable.com, www.vintagecomputing.net - 5 entries
Let's Encrypt Authority X3 2019-08-26 2019-11-24 compaqportable.com, mail.mymayday.com, vintagecomputing.net, www.compaqportable.com, www.vintagecomputing.net - 5 entries
Let's Encrypt Authority X3 2019-08-26 2019-11-24 compaqportable.com, mail.mymayday.com, vintagecomputing.net, www.compaqportable.com, www.vintagecomputing.net - 5 entries
Let's Encrypt Authority X3 2019-08-26 2019-11-24 compaqportable.com, mail.mymayday.com, vintagecomputing.net, www.compaqportable.com, www.vintagecomputing.net - 5 entries

But you don't use one of these.

That

/etc/letsencrypt/renewal/compaqportable.com.conf produced an unexpected error: [Errno 17] File exists: '/etc/letsencrypt/archive/compaqportable.com/privkey3.pem'. Skipping.

looks like you have broken your configuration.

rm /etc/letsencrypt/archive/compaqportable.com/privkey3.pem

Deleting such files is always a bad idea.

You have to install one of these certificates.

But if you delete these, you have to wait one week.

What says

certbot certificates

apachectl -S
1 Like
3

Thanks - I appreciate your swift response.
I guess I have not really understood what I was doing, taking the docs literally: The paragraph about changing a certificate’s domain (https://certbot.eff.org/docs/using.html#managing-certificates) led me to believe that whatever needed to happen when making changes, would happen automagically behind the scenes.

Anyway, all I need is to get one of them to work for now (preferably the last one, but any will do).

**helge@mail** : **~** $ sudo certbot certificates

[sudo] password for helge:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Found the following certs:

Certificate Name: compaqportable.com

Domains: compaqportable.com mail.mymayday.com www.compaqportable.com

Expiry Date: 2019-09-10 19:26:15+00:00 (VALID: 5 days)

Certificate Path: /etc/letsencrypt/live/compaqportable.com/fullchain.pem

Private Key Path: /etc/letsencrypt/live/compaqportable.com/privkey.pem

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Apache:
helge@mail : ~ $ apachectl -S

AH00526: Syntax error on line 20 of /etc/apache2/sites-enabled/000-default-le-ssl.conf:

SSLCertificateFile: file '/etc/letsencrypt/live/compaqportable.com/fullchain.pem' does not exist or is empty

Action '-S' failed.

The Apache error log may have more information.

This does not look good, but visiting the site (which is a ‘work in progress’ page only) gives a valid certificate.
Right now the certificate is more important for dovecot and postfix than for web-stuff.

4

Run it as root.

That's the certificate listet in certbot certificates. If this certificate is dead, you can't restart your webserver.

5

PS:

That's

terrible. Where are all the other certificates? Did you delete these?

Please read

6

Sorry about that...

sudo apachectl -S
[sudo] password for helge:
VirtualHost configuration:
*:443 compaqportable.com (/etc/apache2/sites-enabled/000-default-le-ssl.conf:2)
*:80 compaqportable.com (/etc/apache2/sites-enabled/000-default.conf:4)
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex mpm-accept: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="www-data" id=33
Group: name="www-data" id=33

7

I do understand the rate limits and their purpose. What I don’t (or didn’t) understand was that my activity in any way constituted a repeat frequency worth attention. Like a few (failed) attempts every week.

Anyway, where are the other certs - probably in the compaqportable.com-0001 directory. My understanding of how these pieces fit together is very limited as you have guessed.

8

Next step:

Share the content of these two vHosts.

Both vHosts should have the same three domain names compaqportable.com mail.mymayday.com www.compaqportable.com - one as ServerName, the other two as ServerAlias.

If you have fixed that, it may work to create a new certificate.

But you have hitted the limit, so that can't work. Perhaps you have to wait 2019-09-09 to create a new certificate.

9

The issue is not one of failed attempts; the issue is that you've issued too many (5) within too short a period of time (7 days). I don't know how the message could be clearer:

10

from 000-default-le-ssl.conf:
<VirtualHost *:443>
ServerAdmin webmaster@localhost

        ServerName compaqportable.com
        ServerAlias www.compaqportable.com
        
        DocumentRoot /var/www/html

        <Directory /var/www/html/>
            Options FollowSymLinks
            AllowOverride All
            Require all granted
        </Directory>

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/compaqportable.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/compaqportable.com/privkey.pem
</VirtualHost>

mail.mymayday.com is a mail server address only.
These config files have not been changed since the site was created and the initial certs installed.

From 000-default.conf:
<VirtualHost *:80>
ServerAdmin webmaster@localhost

        ServerName compaqportable.com
        ServerAlias www.compaqportable.com
        
        DocumentRoot /var/www/html

        <Directory /var/www/html/>
            Options FollowSymLinks
            AllowOverride All
            Require all granted
        </Directory>

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =www.compaqportable.com [OR]
RewriteCond %{SERVER_NAME} =compaqportable.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
11

You need a working vHost, so Certbot can create the correct validation file.

So add the mail subdomain to your existing vHosts.

12

It does. Or it should.

The error message suggests that some of Certbot's files have been moved around or deleted, outside of its control.

Can you post the output of "sudo ls -alR /etc/letsencrypt/{archive,live,renewal}"?

13

Thanks - does that mean I can make another renewal attempt when the apache config has been updated?

14 
**root@mail** : **/etc/apache2** # sudo ls -alR /etc/letsencrypt/{archive,live,renewal}

/etc/letsencrypt/archive:

total 16

drwx------ 4 root root 4096 Jun 12 19:29 .

drwxr-xr-x 9 root root 4096 Sep 8 17:35 ..

drwxr-xr-x 2 root root 4096 Sep 5 09:30 compaqportable.com

drwxr-xr-x 2 root root 4096 Jun 12 20:26 compaqportable.com-0001

/etc/letsencrypt/archive/compaqportable.com:

total 40

drwxr-xr-x 2 root root 4096 Sep 5 09:30 .

drwx------ 4 root root 4096 Jun 12 19:29 ..

-rw-r--r-- 1 root root 1952 Apr 14 19:21 cert1.pem

-rw-r--r-- 1 root root 2041 Aug 26 10:09 cert3.pem

-rw-r--r-- 1 root root 1647 Apr 14 19:21 chain1.pem

-rw-r--r-- 1 root root 1647 Aug 26 10:09 chain3.pem

-rw-r--r-- 1 root root 3599 Apr 14 19:21 fullchain1.pem

-rw-r--r-- 1 root root 3688 Aug 26 10:09 fullchain3.pem

-rw-r--r-- 1 root root 1704 Apr 14 19:21 privkey1.pem

-rw------- 1 root root 1704 Aug 12 02:17 privkey2.pem

/etc/letsencrypt/archive/compaqportable.com-0001:

total 40

drwxr-xr-x 2 root root 4096 Jun 12 20:26 .

drwx------ 4 root root 4096 Jun 12 19:29 ..

-rw-r--r-- 1 root root 1948 Jun 12 19:29 cert1.pem

-rw-r--r-- 1 root root 1976 Jun 12 20:26 cert2.pem

-rw-r--r-- 1 root root 1647 Jun 12 19:29 chain1.pem

-rw-r--r-- 1 root root 1647 Jun 12 20:26 chain2.pem

-rw-r--r-- 1 root root 3595 Jun 12 19:29 fullchain1.pem

-rw-r--r-- 1 root root 3623 Jun 12 20:26 fullchain2.pem

-rw------- 1 root root 1704 Jun 12 19:29 privkey1.pem

-rw------- 1 root root 1704 Jun 12 20:26 privkey2.pem

/etc/letsencrypt/live:

total 24

drwx------ 5 root root 4096 Jun 20 12:45 .

drwxr-xr-x 9 root root 4096 Sep 8 17:35 ..

-rw-r--r-- 1 root root 740 Apr 14 19:21 README

drwxr-xr-x 2 root root 4096 Aug 26 10:09 compaqportable.com

drwxr-xr-x 2 root root 4096 Jun 12 20:26 compaqportable.com-0001

lrwxrwxrwx 1 root root 18 Jun 20 06:53 mail.mymayday.com -> compaqportable.com

drwxr-xr-x 2 root root 4096 Mar 22 03:54 save-mail.mymayday.com

/etc/letsencrypt/live/compaqportable.com:

total 12

drwxr-xr-x 2 root root 4096 Aug 26 10:09 .

drwx------ 5 root root 4096 Jun 20 12:45 ..

-rw-r--r-- 1 root root 692 Jun 12 19:29 README

lrwxrwxrwx 1 root root 47 Aug 26 10:09 cert.pem -> ../../archive/compaqportable.com-0001/cert2.pem

lrwxrwxrwx 1 root root 48 Aug 26 10:09 chain.pem -> ../../archive/compaqportable.com-0001/chain2.pem

lrwxrwxrwx 1 root root 52 Aug 26 10:09 fullchain.pem -> ../../archive/compaqportable.com-0001/fullchain2.pem

lrwxrwxrwx 1 root root 50 Aug 26 10:09 privkey.pem -> ../../archive/compaqportable.com-0001/privkey2.pem

/etc/letsencrypt/live/compaqportable.com-0001:

total 12

drwxr-xr-x 2 root root 4096 Jun 12 20:26 .

drwx------ 5 root root 4096 Jun 20 12:45 ..

-rw-r--r-- 1 root root 692 Apr 14 19:21 README

lrwxrwxrwx 1 root root 42 Jun 12 20:26 cert.pem -> ../../archive/compaqportable.com/cert1.pem

lrwxrwxrwx 1 root root 43 Jun 12 20:26 chain.pem -> ../../archive/compaqportable.com/chain1.pem

lrwxrwxrwx 1 root root 47 Jun 12 20:26 fullchain.pem -> ../../archive/compaqportable.com/fullchain1.pem

lrwxrwxrwx 1 root root 45 Jun 12 20:26 privkey.pem -> ../../archive/compaqportable.com/privkey1.pem

/etc/letsencrypt/live/save-mail.mymayday.com:

total 28

drwxr-xr-x 2 root root 4096 Mar 22 03:54 .

drwx------ 5 root root 4096 Jun 20 12:45 ..

-rw-r--r-- 1 root root 543 Sep 19 2017 README

-rw-r--r-- 1 root root 1915 Mar 22 03:54 cert.pem

-rw-r--r-- 1 root root 1647 Mar 22 03:54 chain.pem

-rw-r--r-- 1 root root 3562 Mar 22 03:54 fullchain.pem

-rw-r--r-- 1 root root 1704 Mar 22 03:54 privkey.pem

/etc/letsencrypt/renewal:

total 12

drwxr-xr-x 2 root root 4096 Aug 26 12:38 .

drwxr-xr-x 9 root root 4096 Sep 8 17:35 ..

-rw-r--r-- 1 root root 530 Aug 26 10:09 compaqportable.com.conf
15

That's strange -- most of the xxx2.pem files are missing; conversely the privkey3.pem file is also missing.

Certbot wouldn't be able to work with a symlink like that.

/etc/letsencrypt/live/compaqportable.com/ is supposed to contain symlinks to ../../archive/compaqportable.com/.

(Though /etc/letsencrypt/archive/compaqportable.com/ is itself broken at the moment.)

/etc/letsencrypt/live/compaqportable.com-0001/ is supposed to contain symlinks to ../../archive/compaqportable.com-0001/.

Certbot wouldn't be able to work with a live directory that contains files instead of symlinks.

FYI, since this is the only configuration file in /etc/letsencrypt/renewal/, Certbot will only try to renew /etc/letsencrypt/live/compaqportable.com/.

16

Wow, and thanks. That was some list of problems. Now - given that my repeated attempts to get renewal to work has created this mess, what is the recommended action?

17

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.