Se han emitido demasiados certificados para el conjunto exacto de dominios

Buenas noches

En primer lugar quería agradecer a quien me pueda ayudar y pedir disculpas, de antemano, por las posibles molestias ocasionadas.

Os pongo en contexto:

Para un proyecto final de curso, estoy tratando de configurar y activar el modo HTTPS con certificado de Let's Encrypt en una máquina virtual en Virtualbox. Soy novata y es la primera vez que trabajo con certificados reales (en clase lo hacíamos con certificados autofirmados con Apache2).

Utilizo un sistema operativo Ubuntu server 20.04.

Para instalar el certificado he seguido las instrucciones de la web de Certbot - Ubuntufocal Nginx para instalarlo y configurarlo con Nginx.

- Puedo leer las respuestas en Inglés (sí o no): si

- Mi dominio es: mjocanaodoo.ddns.net

- Ejecuté este comando:  sudo certbot --nginx

- Produjo esta salida:

mjocana1310@mjocana1310ieszaidinvergeles:~$ sudo certbot --nginx
[sudo] password for mjocana1310:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Enter email address (used for urgent renewal and security notices)
 (Enter 'c' to cancel): mj.ocanar@gmail.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y
Account registered.

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: mjocanaodoo.ddns.net
2: www.mjocanaodoo.ddns.net
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Requesting a certificate for mjocanaodoo.ddns.net
An unexpected error occurred:
There were too many requests of a given type :: Error creating new order :: too many certificates already issued for exact set of domains: 	mjocanaodoo.ddns.net: see https://letsencrypt.org/docs/rate-limits/
Please see the logfiles in /var/log/letsencrypt for more details.

Nota: no hay registros en el log porque es una instantánea restaurada y esos archivos no existen en el sistema.

	- Mi servidor web es (incluya la versión):
   mjocana1310@mjocana1310ieszaidinvergeles:~$ nginx -v
   nginx version: nginx/1.18.0 (Ubuntu)

- El sistema operativo en el que se ejecuta mi servidor web es (incluya la versión): 
mjocana1310@mjocana1310ieszaidinvergeles:/$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 20.04.2 LTS
Release:        20.04
Codename:       focal

     - Mi proveedor de alojamiento web (si aplica) es: https://www.noip.com/

     - Puedo iniciar una sesión en una shell root en mi servidor (sí, no o no lo sé): si

     - Estoy usando un panel de control para administrar mi sitio (no o proporcione el nombre y la versión del panel de control): No, lo hago directamente desde 	una conexión SSH con Putty al servidor.

     - La versión de mi cliente es (por ejemplo, si usa certbot, muestre la salida de `certbot --version` o `certbot-auto --version`):
mjocana1310@mjocana1310ieszaidinvergeles:/$ certbot --version
certbot 1.15.0

He estado leyendo este foro y el siguiente manual: Limitaciones - Let's Encrypt - Certificados SSL/TLS Gratuitos.

Y he consultado en la web crt.sh | mjocanaodoo.ddns.net y aparece:

image1014×452 62.1 KB

Pero NO entiendo bien el resultado que obtengo. Según he leído es porque se han emitido demasiados certificados para el dominio de mjocanaodoo.ddns.net pero en la página de crt.sh veo que "solamente han sido 10"??

El motivo de haber solicitado "tantos" fue porque no era capaz de que el dominio funcionase con https://mjocanaodoo.ddns.net y volví varias veces a un estado anterior a través de una instantánea que tenía previamente creada en Virtualbox. La instantánea que tenía en virtualbox fue eliminada, no puedo volver a la configuración en la que certbot instaló los certificados de let's encrypt para el dominio de mjocanaodoo.ddns.net

¿Alguna sugerencia?
¡¡Muchas gracias por todo!!

Welcome to the Let's Encrypt Community

First off, let me thank you for actually reading some things first! You checked the right sources for the right information.

The reason that it appears on crt.sh that you have had 10 certificates issued is because that list also shows the precertificate for each certificate. If you click on each certificate and look at the top, you will see that the real certificates say "Leaf certificate" while the precertificates say "Precertificate". Thus, you have only been issued 5 certificates.

As for getting around this, since you seem to understand the mistake you made, I have a workaround for you, but you'll need to add a subdomain (like www.mjocanaodoo.ddns.net). Can you do this?

PS - My Spanish is alright, but I didn't want confusions in translation. If there is something you need explained differently, just let me know.

Your website does not appear to be responding right now. I get a 500 error when I try to visit with my web browser.

Muchas gracias por tu tiempo y amabilidad

Siento mucho hacer preguntas tan básicas pero soy novata total en este tema y mi inglés no es muy bueno tampoco, pero voy a intentarlo.

¿Cuál es la diferencia entre "Leaf certificate" y "Precertificate"? He estado googleando un poco pero no lo termino de comprender. En clase nunca vimos nada de esto cuando estuvimos estudiando el Servicio de Nombres de Dominio DNS y en HTTPS tampoco.

En mi archivo de configuración de Nginx además de mjocanaodoo.ddns.net también escribí manualmente www.mjocanaodoo.ddns.net porque lo ví en un tutorial de youtube pero nunca lo uso. Estoy utilizando exclusivamente mjocanaodoo.ddns.net para la práctica.

Creo, no estoy segura (tendré que investigarlo mañana) que https://www.noip.com/ no permite crear subdominios (gratuitamente). Para el proyecto de clase no podemos utilizar versiones que incluyan pagos.

Y dudo mucho que a través de un cliente tipo Webmin permitiese la configuración de DNS Bind9 con alias. Esto no lo he probado todavía, estoy escribiéndolo ahora mismo:
Ejemplo:
ddns.net. IN NS mjocanaodoo.ddns.net.
mjocanaodoo.ddns.net. IN A 192.168.1.30
www.mjocanaodoo.ddns.net. IN CNAME mjocanaodoo.ddns.net.

Lamento molestarte una vez más pero en el caso de que solamente pudiera continuar con el dominio de "mjocanaodoo.ddns.net" tendría que esperar los 7 días que indican en la documentación de Let's Encrypt para volver a intarlo de nuevo, ¿verdad?

¡¡Qué tengas muy buena noche!!

Your website does not appear to be responding right now. I get a 500 error when I try to visit with my web browser.

Sí, es que tengo la máquina virtual que aloja el servidor apagada ahora mismo.
Solo la mantengo encendida cuando estoy trabajando en el proyecto porque no tiene configurada ni instalada casi ninguna medida de seguridad.

Si en algún momento necesitas comprobar algo, puedes avisarme y la enciendo, yo acceso a ella a través de mjocanaodoo.ddns.net:8069 porque mi proyecto está basado en la implementación de un ERP con Odoo.

Thank you very much for your time and kindness

I am sorry to ask you so such basic questions but I am a total novice on this topic and my English is not very good either, but I am going to try it!

What is the difference between "Leaf certificate" and "Precertificate"? I have been googling a bit but I can not quite understand it. We never saw any of this in class when we were studying DNS Domain Name Service or in HTTPS.

In my Nginx config file besides of mjocanaodoo.ddns.net I also manually typed www.mjocanaodoo.ddns.net because I saw it in a youtube tutorial but I never used it. I am exclusively using mjocanaodoo.ddns.net for the class practice.

I think, I am not sure (I will have to look it tomorrow) that https://www.noip.com/ doesn't allow creating subdomains (for free). For the class project we can not use versions that include payments.

And I doubt very much that through a client like Webmin would allow me the configuration of DNS Bind9 with aliases. This I have not tried yet, I am writing it right now:
Example:
ddns.net. IN NS mjocanaodoo.ddns.net.
mjocanaodoo.ddns.net. IN A 192.168.1.30
www.mjocanaodoo.ddns.net. IN CNAME mjocanaodoo.ddns.net.

I am sorry to bother you once more, but if I could only continue with the domain of "mjocanaodoo.ddns.net" would I have to wait the 7 days indicated in the Let's Encrypt documentation to try it again, right?

Have a very good night!!

Your website does not appear to be responding right now. I get a 500 error when I try to visit with my web browser.

Yes, it is that I have the virtual machine that hosts the server turned off right now.
I only keep it on when I am working on the project because it has almost no security measures configured or installed.

If at any time you need to check something, you can let me know and I turn it on, I access it through mjocanaodoo.ddns.net:8069 because my project is based on the implementation of an ERP with Odoo.

That's the right idea.

That's a local IP address that's unreachable from the internet without some type of external routing.

I see this:

mjocanaodoo.ddns.net. 59 IN A 85.136.43.66

That's correct.

Hola @mj_ocanar,

"Leaf certificate" is a name for the certificates that are issued to web sites. This is based on a metaphor that sees the public key infrastructure system as a tree. Then the most-trusted certificates are called "root certificates" (certificados raíces) (Certificado raíz - Wikipedia, la enciclopedia libre), while the certificates eventually issued to end-users and web sites are "leaf certificates". Unfortunately the certificates in the middle are just called "intermediate certificates" rather than "trunk certificates" or "branch certificates" .

Another name for leaf certificates is "end-entity certificates", or just "certificates"!

Precertificates are a somewhat obscure or advanced topic related to the Certificate Transparency system

which is a relatively recent invention that helps make sure that no one can secretly issue false certificates as part of an attack. The precertificates are used as part of certificate authorities' public disclosures of the certificates that they issue.

Precertificates are never installed directly on web servers or distributed directly to end-users, so most people don't know about them and don't interact with them directly—even people who are working actively with the HTTPS ecosystem or system administration. However, because issued-certificate search tools like crt.sh are meant to help people see the Certificate Transparency information, they include this additional feature.

Since Certificate Transparency is still less than 10 years old (and most people don't interact with it directly at all), most documentation and educational material about HTTPS wouldn't have a reason to mention Certificate Transparency or precertificates. Until 2013, they didn't even exist yet!

OK, muchísimas gracias de nuevo.

Pues mañana probaré a seguir tu consejo e instalar Webmin para crear las zonas de resolución maestras directas e inversas.

¡Cierto! Tienes razón, tendría que asociar mi IP pública al nombre de dominio. Me ha "traicionado" la costumbre de estudiar en modo local con adaptadores puente en Virtualbox, ¡jajajaja!

¡¡Buenas noches!!

OK, thank you very much again.

Well, tomorrow I will try to follow your advice and I will install Webmin to create the direct and reverse master resolution zones.

Certain! You are right, I would have to associate my public IP with the domain name. I was "betrayed" by the habit of studying locally with bridge adapters in Virtualbox, hahaha!

Good night!!

Have a good night and best of luck!

Just make sure anything you implement works from the internet and not just locally. Check with your phone.

Muchísimas gracias por dedicarme parte de tu tiempo enseñándome sobre esto. Sin duda seguiré investigando y tratando de comprender la documentación que me has facilitado porque todo lo relacionado con la ciberseguridad me encanta

Muchas gracias de nuevo,
qué tengas una noche fantastica!

Thank you so much for spending part of your time teaching me about this. Without a doubt I will continue investigating and trying to understand the documentation that you have provided me because I love everything related to cybersecurity

Thank you very much again,
have a fantastic night!