Today I wanted to add two new subdomain and generate SSL certificates for them. Unfortunately errors occurred.
An unexpected error occurred:
ValueError: Unable to set value to path!
I couldn’t renew or create new certificates or anything. Used “certbot delete” to get rid of old certificates and install new, but that didn’t help at all. More errors occurred. Deleted entire /etc/letsencrypt directory and tried to install new certificates. Same error occurred with ValueError. Again, used “certbot delete” then removed /etc/letsencrypt and tried again and again, several times. Sometimes there was no error but SSL wasn’t working. After couples of tries I have reached limit for set of domains and subdomains, added new subdomain so I can generate certificates again. After that, tried selecting main domain and few subdomain and it worked, SSL was working properly but that’s not what I wanted, I need all of subdomains to have SSL enabled. So again, deleted everything and generated again by selected everything. Error occurred… After another delete, selected everything except one with www. prefix. That did the trick. Unfortunately still not what I was expecting. Deleted again, selected all of them… New error about “loops” that didn’t let me connect through HTTPS. Deleted again, selected all and got message about reaching requests limit for entire domain. That just killed me. I have to wait 7 days to get new certificate? That means my site will be offline for 7 days! I can’t do that, everything must work with SSL. Tell me there is something I can do to get that work. Can YOU reset those requests? Is there anything to do so I won’t lose money and users on my site?
Using Ubuntu 14.04 and apache2.
If you’ve hit a rate limit, we don’t have a way to temporarily reset it. You’ll need to wait until the rate limit expires after a week. We use a sliding window, so if you issued 10 certificates on Monday and 10 more certificates on Friday, you’ll be able to issue again starting Monday. You can get a list of certificates issued for your registered domain by searching on crt.sh, which uses the public Certificate Transparency logs.
Revoking certificates does not reset rate limits, because the resources involved in issuing the certificates have already been used.
So, no, there’s no way to reset this limit for you. In the future, please consider using the staging environment, as it has separate and considerably higher rate limits. With certbot, this is done using the --staging flag. When not sure what your commands will actually do, I would always recommend executing against staging. These rate limits are in place for a reason, because every certificate issued uses resources on the Let’s Encrypt servers and HSAs.
However, pay special attention to the part quoted regarding the sliding window. If you issued the first certificate 5 days ago, you can issue another in only 2 days. At this point, it’s a business decision between waiting out the limit (I recommend working in staging during this time to make sure you’re able to get everything right when the limit expires) and coughing up the $10 or so it would take to get a certificate from a paid vendor for the time being.
So next time I’d like to generate new certificates I should use certbot --apache --staging command?
Staging will give you an untrusted test certificate. You should run that command until you have things generating the way you expect, and then run once without the --staging flag to get the real certificate.
It’s for testing purpose. Got it, I’ll do that next time. Unlucky me…
Thank you, I’ll wait 7 days then and pay for my mistake.
Yup, just for testing. =]
If you want to post or PM me your domain, I’ll poke around the certificate transparency logs and let you know the earliest you will be able to issue a new certificate. It may very well be less than 7 days from now depending on when you started attempting issuance.
You can also look, but the results can be somewhat tricky to interpret.
Looked into it, seems these were all issued today, so it will be the full 7 days until that limit rolls around. Sorry about that.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.