I had to redo my installation with the addition of a new domain, and now I keep hitting the issue:
There were too many requests of a given type :: Error creating new cert :: Too many certificates already issued for: heroesofthestorm.co.za
Please see the logfiles in /var/log/letsencrypt for more details.
Can I retrieve the certs issued originally, or do I now have to wait 60 days to be able to get a cert again?
But I don’t know if the discussion is mainly about subdomains hitting the limit for the main domain or if it’s applicable for multiple certificates for the same domain over and over again.
Well, the rate limit isn’t exactly 1 per domain I believe and for experimenting/testing there’s the staging server (--server https://acme-staging.api.letsencrypt.org/directory), which issues non-working certificates, but doesn’t have as strict rate limits.
So I don’t think the issue is exactly “one mistake and you’re screwed” to be honest
What exactly is the point of obtaining a non-working SSL cert, when you have nginx configuration which expects a working certificate to do a handshake?
You have generated 4 (!) certificates in almost exactly 2 (!) hours. Yes, your fourth one had three extra domains in its subjectAltNames, but the first three were exactly the same.
Experimenting with a live system is a good way to run into rate limits. By experimenting with the staging server, you could have avoided that. Finding out how the client works and when you were pleased with all the settings/switches, you could have switched from the staging server to the live server.
That way you’d have three non-working “experiment” certificates and a final, working one.
Thanks for the info man. I am just super frustrated atm. I was running into issues where using the -d example.com -d mail.example.com for multiple domains, which would each time choose a different location to save the cert in. Even though the first domain specified stayed the same. Which in turn meant that you had to go and update all your virtual host configs in NGINX, not being sure which cert is the correct cert.
And yes like an idiot I went and deleted /etc/letsencrypt before trying to get the new certs, which failed. And led to 2 hours of downtime on 4 domains, and forced me to revert to a StartSSL cert.
Thanks for the advice, I will just need to maintain staging and live configuration and ensure that staging works before I do anything against live. I had to remove a domain and add a new one and this all cascaded into one giant mess since I issued a bundled cert originally.
In your defence, I tried to find anything about the --server switch in the FAQ, so one could experiment with the client options on the staging server first, but I couldn’t find any info about that… Perhaps someone from Let’s Encrypt officials could add that to the FAQ?
Oh well, no use in crying over spilled milk. I do like letsencrypt, but do need to be more careful if I don’t want to mess my setup up. I present you with this lama looking race horse as a token of my appreciation
The upcoming release will bring some updates in this regard, like a simple --staging flag (instead of passing the staging URL through --server) as well as doc changes encouraging users to start out with staging till everything looks good.
You can click on the number in the “crt.sh ID” column to view a specific certificate.
Once you have the right certificate in front of you, you can click on the link with the text “Certificate:” in the upper left corner of the biggest table field (containing all the certificate info) to download that cert.
Generically, you can click on "Issuer" on the crt.sh page. That will give you the intermediate. You can then click one of the crt.sh IDs for one of the intermediate's certificates, and download it as above.
Generically, there can be a chain of multiple intermediates, so you may have to repeat that step.
Let's Encrypt's intermediates are subject to change, and any ACME client should automatically download the intermediates it's told to.
However, for your specific situation today, the fact is that all currently valid Let's Encrypt certificates use a single one.
You can download the "Let’s Encrypt Authority X3 (IdenTrust cross-signed)" certificate here: