Retrieving already issued certs


#1

I had to redo my installation with the addition of a new domain, and now I keep hitting the issue:

There were too many requests of a given type :: Error creating new cert :: Too many certificates already issued for: heroesofthestorm.co.za
Please see the logfiles in /var/log/letsencrypt for more details.

Can I retrieve the certs issued originally, or do I now have to wait 60 days to be able to get a cert again?


#2

All your Let’s Encrypt certificates can be found here: crt.sh Identity Search: Criteria Identity = ‘heroesofthestorm.co.za’; Issuer CA ID = 7395

But if you’ve lost your private keys and don’t have a back up… Good luck with that :stuck_out_tongue:


#3

It sucks man, had like 2 hours of trying to fix servers last night, because hitting the rate limit meant all my domains didn’t renew.


#4

Thanks for the info though


#5

But I don’t think you’ll have to wait 60 days: Public beta rate limits

But I don’t know if the discussion is mainly about subdomains hitting the limit for the main domain or if it’s applicable for multiple certificates for the same domain over and over again.


#6

Still painful, one mistake and you are screwed if you have multiple domains / subdomains.


#7

Well, the rate limit isn’t exactly 1 per domain I believe and for experimenting/testing there’s the staging server (--server https://acme-staging.api.letsencrypt.org/directory), which issues non-working certificates, but doesn’t have as strict rate limits.

So I don’t think the issue is exactly “one mistake and you’re screwed” to be honest :neutral_face:


#8

What exactly is the point of obtaining a non-working SSL cert, when you have nginx configuration which expects a working certificate to do a handshake?


#9

You have generated 4 (!) certificates in almost exactly 2 (!) hours. Yes, your fourth one had three extra domains in its subjectAltNames, but the first three were exactly the same.

Experimenting with a live system is a good way to run into rate limits. :smile: By experimenting with the staging server, you could have avoided that. Finding out how the client works and when you were pleased with all the settings/switches, you could have switched from the staging server to the live server.

That way you’d have three non-working “experiment” certificates and a final, working one.

BTW, you’ll have to wait 7 days.


#10

Thanks for the info man. I am just super frustrated atm. I was running into issues where using the -d example.com -d mail.example.com for multiple domains, which would each time choose a different location to save the cert in. Even though the first domain specified stayed the same. Which in turn meant that you had to go and update all your virtual host configs in NGINX, not being sure which cert is the correct cert.

And yes like an idiot I went and deleted /etc/letsencrypt before trying to get the new certs, which failed. And led to 2 hours of downtime on 4 domains, and forced me to revert to a StartSSL cert.

Thanks for the advice, I will just need to maintain staging and live configuration and ensure that staging works before I do anything against live. I had to remove a domain and add a new one and this all cascaded into one giant mess since I issued a bundled cert originally.


#11

In your defence, I tried to find anything about the --server switch in the FAQ, so one could experiment with the client options on the staging server first, but I couldn’t find any info about that… Perhaps someone from Let’s Encrypt officials could add that to the FAQ?


#12

Oh well, no use in crying over spilled milk. I do like letsencrypt, but do need to be more careful if I don’t want to mess my setup up. I present you with this lama looking race horse as a token of my appreciation :racehorse:


#13

The upcoming release will bring some updates in this regard, like a simple --staging flag (instead of passing the staging URL through --server) as well as doc changes encouraging users to start out with staging till everything looks good.


#14

How exactly do you download​ these at this URL https://crt.sh/?q=heroesofthestorm.co.za&iCAID=7395? I hit my limit also by accident but I still have my private key.


#15

Hitting the rate limit doesn’t automatically and spontaneously delete already issued certificates from your hard drive?

Or did you accidentally delete the certificate(s) yourself?


#16

I accidentally deleted them…


#17

You can click on the number in the “crt.sh ID” column to view a specific certificate.

Once you have the right certificate in front of you, you can click on the link with the text “Certificate:” in the upper left corner of the biggest table field (containing all the certificate info) to download that cert.


#18

That is great! Is there a way to get the full chain?


#19

Generically, you can click on “Issuer” on the crt.sh page. That will give you the intermediate. You can then click one of the crt.sh IDs for one of the intermediate’s certificates, and download it as above.

Generically, there can be a chain of multiple intermediates, so you may have to repeat that step.

Let’s Encrypt’s intermediates are subject to change, and any ACME client should automatically download the intermediates it’s told to.

However, for your specific situation today, the fact is that all currently valid Let’s Encrypt certificates use a single one.

You can download the “Let’s Encrypt Authority X3 (IdenTrust cross-signed)” certificate here:

Or, more specifically:

https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem.txt

Here’s where it is on crt.sh, if you’re curious:

https://crt.sh/?caid=16418
https://crt.sh/?id=15706126


#20