Revoked a cert but not allowed to recreate due to rateLimit

Aran 2015-12-05 12:41:03 UTC #1

I first set up different certs for each of my domains, then realised I could do one cert for all. But when I did that and selected to replace & renew a current domain I couldn't find where the new multi-domain cert was (all those in /etc/letsencrypt/live were symlinks to archive).

Then to make matters worse, when I tried to run again with --cert-path to try and put the new multi-domain cert somewhere else I got hit with the "Too many certificates already issued for domain"! I tried revoking the domain in question, but still get the error!

So what now? do I have to wait for 59 days before I can try and get it to work again?!

jhass 2015-12-05 12:45:54 UTC #2

No, up to 7 days, see https://community.letsencrypt.org/t/public-beta-rate-limits/4772/3

Aran 2015-12-05 12:56:19 UTC #3

Thanks for the quick response, 7 days isn't too bad. But do you have any idea about the other problem of there seeming to be no multi-domain cert created anywhere? It asked if I wanted to replace an existing cert with the new multi-domain one, then said it had been created in the location where the old single domain cert had been (in letsencrypt/live/domain) but in there was just a symlink to the archived single domain cert?

When I'm allowed to run the command again (certonly --webroot) , would adding --cert-path ensure the new multi-domain cert is somewhere predictable instead of non-existent or over the top of one of the single domains?

jeremiejig 2015-12-05 14:10:30 UTC #4

Your multi-domain cert will be in the folder named with the first -d supplied flag.

For example, let's say you requested your cert with the following command:

letsencrypt certonly --webroot --webroot-path /var/www/html -d me.domain.org -d domain.org -d mail.domain.org -d www.domain.org -d domain.net -d mail.domain.net

You will find your certificate, private-key in the folder /etc/letsencrypt/archives/me.domain.org and the files in /etc/letsencrypt/live/me.domain.org will point to the latest certificate issued.

Revoking a lost certificate

Aran 2015-12-05 14:17:16 UTC #5

I think it must work slightly differently than that because it was the 7th domain's dir that it said it would be putting it in. But the first 6 domain were all new certs, the 7th was the first one that had an existing LE cert installed, and was the one the query about replacing/renewing was about.

jeremiejig 2015-12-05 14:20:22 UTC #6

Well when in that case it will put the 7th domain in the 1st domain folder.

You will normally find this files cert1.pem cert2.pem chain1.pem chain2.pem fullchain1.pem fullchain2.pem privkey1.pem privkey2.pem

I already encountered your case but for me it was to expand one certificate (initially with two domain) to more domain.

Aran 2015-12-05 14:26:09 UTC #7

Ah yes I see now that when I do ls -al /etc/letsencrypt/live/*/cert.pm it shows that all of them are symlinks to ...archive.../cert1.pem except for the seventh domain's dir which links to cert2.pem and cert2.pem is much bigger than all the cert1.pem files so it looks like it created a new cert there with all the domains in the 7th domain's dir.