Renewal : too many certificates already issued

My domain is: ismartroad.com

I ran this command:
certbot certonly -d zabbix.ismartroad.com -m admin@mobil-inn.com --agree-tos -n --authenticator webroot --webroot-path /var/www/

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for zabbix.ismartroad.com
Using the webroot path /var/www for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0158_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0171_csr-certbot.pem
An unexpected error occurred:
There were too many requests of a given type :: Error creating new cert :: too many certificates already issued for exact set of domains: zabbix.ismartroad.com: see https://letsencrypt.org/docs/rate-limits/
Please see the logfiles in /var/log/letsencrypt for more details.

My web server is (include version): apache2 2.4

The operating system my web server runs on is (include version): Linux zabbix 3.16.0-6-amd64 #1 SMP Debian 3.16.57-2 (2018-07-14) x86_64 GNU/Linux

My hosting provider, if applicable, is: soyoustart

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.10.2


I’ve read some "too many certificate already issued’ topics on this forum but I did not find an answer to my problem. I’m trying to renew the certificate for “zabbix.ismartroad.com” and I get the output above with the error “too many certificate already issued”.

I have around 40 subdomains on ismartroad.com that check for renewal daily and that actually get renewed when they are due (for example I got one new cert this morning for “environnement-solutions.ismartroad.com”). I have not been requesting completely new certs for subdomains of ismartroad.com in the last 7 days.

As mentionned on many topics, I used crt.sh to check for certificates and I found a lot of “final certs” issued for “zabbix.ismartroad.com” so it seems that despite the error, the certificate are generated (but I did not get the .pem files). https://crt.sh/?q=%.ismartroad.com

I also used the lectl tool which tells me : “You have issued 7 certificates in last 7 days so you could issue 43 more certificates now.” It shows the valid final certs for “zabbix.ismartroad.com” too.

Can you help me please?

Hi @teriblus

there are a lot of certificates: 95 active ( https://check-your-website.server-daten.de/?q=ismartroad.com#ct-logs ), a lot in the last days.

CertSpotter-Id Issuer not before not after Domain names LE-Duplicate next LE
972434375 CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US 2019-06-18 00:00:07 2019-09-16 00:00:07 environnement-solutions.ismartroad.com - 1 entries duplicate nr. 1
972260777 CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US 2019-06-17 21:41:30 2019-09-15 21:41:30 zabbix.ismartroad.com - 1 entries duplicate nr. 4
971511955 CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US 2019-06-17 10:00:35 2019-09-15 10:00:35 zabbix.ismartroad.com - 1 entries duplicate nr. 3
970586187 CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US 2019-06-16 21:26:17 2019-09-14 21:26:17 zabbix.ismartroad.com - 1 entries duplicate nr. 2
962577555 CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US 2019-06-11 23:06:37 2019-09-09 23:06:37 smitred.ismartroad.com - 1 entries duplicate nr. 1
962439123 CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US 2019-06-11 21:18:20 2019-09-09 21:18:20 zabbix.ismartroad.com - 1 entries duplicate nr. 1
961556115 CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US 2019-06-11 09:13:25 2019-09-09 09:13:25 zabbix.ismartroad.com - 1 entries

That hit's the limit.

Where are these certificates? Why isn't it possible to use one of these?

Your certbot is too old, 0.10 is outdated. So first update your certbot.

You can download one of the PEM files and use that. If you have the private key.

Thank you for your quick response.

I do not have the private key, it seems like the certs are generated, and then I get the error, but I don’t get the files (or I can’t locate them, do you have an idea where they might have been saved ?). I tried the new cert with the old private key but it does not work.

I upgraded certbot (I was using the default debian package) and I get a different output :

certbot-auto --version
certbot 0.35.1

certbot-auto certonly -d zabbix.ismartroad.com -m admin@mobil-inn.com --agree-tos -n --authenticator webroot --webroot-path /var/www/
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
An unexpected error occurred:
There were too many requests of a given type :: Error creating new order :: too many certificates already issued for exact set of domains: zabbix.ismartroad.com: see https://letsencrypt.org/docs/rate-limits/
Please see the logfiles in /var/log/letsencrypt for more details.

So this time I get the error but no generation seems to occur.

I guess I’ll try again in 7 days and see if it works. What do you think ?

Remove the -n parameter and use the test system. The folders are described:

https://certbot.eff.org/docs/using.html#configuration-file

Oldest certificate of the last 5 is from 2019-06-11 09:13:25 (perhaps some time zone changes). So it should work today. But first use the test system. You must be able to find the certificate and the private key.

Usually certbot saves the certificate files under /etc/letsencrypt/archive/(...mydomainname...)/(lot of pem files for 'mydomainname')
as you should probably know (you are backing them up right ???)

I know that certs are usually generated their, and I checked the pem files. The live directory links have been created today, but the files they are pointing to in the archive directory are the old ones. (06/02/2019)

/etc/letsencrypt/live/zabbix.ismartroad.com# ls -l
total 8
lrwxrwxrwx 1 root root 50 juin 18 00:41 cert.pem -> …/…/archive/zabbix.ismartroad.com-0001/cert1.pem
lrwxrwxrwx 1 root root 51 juin 18 00:41 chain.pem -> …/…/archive/zabbix.ismartroad.com-0001/chain1.pem
lrwxrwxrwx 1 root root 55 juin 18 00:41 fullchain.pem -> …/…/archive/zabbix.ismartroad.com-0001/fullchain1.pem
-rw-r–r-- 1 root root 1902 juin 18 10:19 newcert.pem
lrwxrwxrwx 1 root root 53 juin 18 00:41 privkey.pem -> …/…/archive/zabbix.ismartroad.com-0001/privkey1.pem
-rw-r–r-- 1 root root 543 févr. 6 16:11 README
zabbix:/etc/letsencrypt/live/zabbix.ismartroad.com# ls -l …/…/archive/zabbix.ismartroad.com-0001/
total 16
-rw-r–r-- 1 root root 1927 févr. 6 16:11 cert1.pem
-rw-r–r-- 1 root root 1647 févr. 6 16:11 chain1.pem
-rw-r–r-- 1 root root 3574 févr. 6 16:11 fullchain1.pem
-rw-r–r-- 1 root root 1708 févr. 6 16:11 privkey1.pem

There are also a lot of .pem files that may be the good ones in the keys and csr folders but I don’t know which is private key, which is fullchain and which is the cert.

Then try

certbot update_symlinks

or change the symlinks manual. Then restart your server.

I ran

certbot update_symlinks

I did update the symlinks but it made it point to an even older cert (july 2018) !

After that i retried to generate my cert using

certbot-auto certonly -d zabbix.ismartroad.com -m admin@mobil-inn.com --agree-tos -n --authenticator webroot --webroot-path /var/www/

And it outputed :

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Found a new cert /archive/ that was not linked to in /live/; fixing...
Keeping the existing certificate

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Certificate not yet due for renewal; no action taken.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

And now it works fine ! I hope i will be able to renew it in 2 months without running into these problems.

It seems that my issue was linked to the old certbot version that generated the pem files, then outputing the error and then not linking the pem files correctly (probably because of the error). As the pem files were generated, they counted in the total number of certs and prevented me from generating new certs.

It may be a bug, as even if the client is outdated, the letsencrypt server should not generate the pem files if the quota is reached ?

Anyway, thank you very much for your quick support and for the great service rendered by letsencrypt.

2 Likes

Yep, thanks. Updating old clients - maybe sometimes a problem.

Happy to read that you use the new certificate :heart_eyes:

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.