Site down, can't renew

My domain is:
www.sendthemtomir.com

I ran this command:
certbot certonly

It produced this output:
╰─➤ certbot certonly
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?

1: Nginx Web Server plugin (nginx)
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)

Select the appropriate number [1-3] then [enter] (press ‘c’ to cancel): 1
Plugins selected: Authenticator nginx, Installer None
Please enter in your domain name(s) (comma and/or space separated) (Enter ‘c’
to cancel): www.sendthemtomir.com
Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.sendthemtomir.com
Waiting for verification…
Cleaning up challenges
An unexpected error occurred:
There were too many requests of a given type :: Error finalizing order :: too many certificates already issued for exact set of domains: www.sendthemtomir.com: see https://letsencrypt.org/docs/rate-limits/
Please see the logfiles in /var/log/letsencrypt for more details.

My web server is (include version):
ii nginx-common 1.14.2-2 all small, powerful, scalable web/proxy server - common files
ii nginx-full 1.14.2-2 amd64 nginx web/proxy server (standard version)

The operating system my web server runs on is (include version):
╰─➤ uname -a
Linux sendthemtomir.com 4.18.16-x86_64-linode118 #1 SMP PREEMPT Mon Oct 29 15:38:25 UTC 2018 x86_64 GNU/Linux

My hosting provider, if applicable, is:
Linode

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no

Hi @corwin

why do you want to create a new certificate? You have created some certificates:

https://transparencyreport.google.com/https/certificates?cert_search_auth=&cert_search_cert=p:c2VuZHRoZW10b21pci5jb206ZmFsc2U6dHJ1ZTo6RUFFPQ&cert_search=include_expired:false;include_subdomains:true;domain:sendthemtomir.com&lu=cert_search_cert

Where are these? Isn’t it possible to use one of these certificates?

PS: Your non-www version ( https://check-your-website.server-daten.de/?q=sendthemtomir.com )

has a 502, Bad Gateway. But this is a different problem. Your www-version works.

The “problem” may be in your expectations of that command.
certonly does just that: CERT ONLY
[or perhaps better stated: ONLY CERT]

You probably already have a valid (renewed) cert in your system.
Please show:
certbot certificates

Ideally you would renew with just:
certbot renew

[edit] Maybe you just need to restart your web service…

╰─➤ certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Revocation status for /etc/letsencrypt/live/www.sendthemtomir.com/cert.pem is unknown

Found the following certs:
Certificate Name: music.sendthemtomir.com
Domains: music.sendthemtomir.com
Expiry Date: 2019-04-08 13:00:43+00:00 (VALID: 83 days)
Certificate Path: /etc/letsencrypt/live/music.sendthemtomir.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/music.sendthemtomir.com/privkey.pem
Certificate Name: mab.sendthemtomir.com
Domains: mab.sendthemtomir.com
Expiry Date: 2019-04-14 18:21:29+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/mab.sendthemtomir.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/mab.sendthemtomir.com/privkey.pem
Certificate Name: mir.rocks
Domains: *.mir.rocks
Expiry Date: 2019-03-07 18:02:35+00:00 (VALID: 51 days)
Certificate Path: /etc/letsencrypt/live/mir.rocks/fullchain.pem
Private Key Path: /etc/letsencrypt/live/mir.rocks/privkey.pem
Certificate Name: www.sendthemtomir.com
Domains: www.sendthemtomir.com
Expiry Date: 2018-12-18 15:35:12+00:00 (INVALID: EXPIRED)
Certificate Path: /etc/letsencrypt/live/www.sendthemtomir.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.sendthemtomir.com/privkey.pem

╰─➤ certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/music.sendthemtomir.com.conf

Cert not yet due for renewal

Processing /etc/letsencrypt/renewal/mab.sendthemtomir.com.conf

Cert not yet due for renewal

Processing /etc/letsencrypt/renewal/mir.rocks.conf

Cert not yet due for renewal

Processing /etc/letsencrypt/renewal/www.sendthemtomir.com.conf

Cert is due for renewal, auto-renewing…
Error while running nginx -c /etc/nginx/nginx.conf -t.

nginx: [emerg] BIO_new_file("/etc/letsencrypt/live/chat.sendthemtomir.com/fullchain.pem") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen(’/etc/letsencrypt/live/chat.sendthemtomir.com/fullchain.pem’,‘r’) error:2006D080:BIO routines:BIO_new_file:no such file)
nginx: configuration file /etc/nginx/nginx.conf test failed

Could not choose appropriate plugin: The nginx plugin is not working; there may be problems with your existing configuration.
The error was: MisconfigurationError(‘Error while running nginx -c /etc/nginx/nginx.conf -t.\n\nnginx: [emerg] BIO_new_file("/etc/letsencrypt/live/chat.sendthemtomir.com/fullchain.pem") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen(’/etc/letsencrypt/live/chat.sendthemtomir.com/fullchain.pem’,‘r’) error:2006D080:BIO routines:BIO_new_file:no such file)\nnginx: configuration file /etc/nginx/nginx.conf test failed\n’)
Attempting to renew cert (www.sendthemtomir.com) from /etc/letsencrypt/renewal/www.sendthemtomir.com.conf produced an unexpected error: The nginx plugin is not working; there may be problems with your existing configuration.
The error was: MisconfigurationError(‘Error while running nginx -c /etc/nginx/nginx.conf -t.\n\nnginx: [emerg] BIO_new_file("/etc/letsencrypt/live/chat.sendthemtomir.com/fullchain.pem") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen(’/etc/letsencrypt/live/chat.sendthemtomir.com/fullchain.pem’,‘r’) error:2006D080:BIO routines:BIO_new_file:no such file)\nnginx: configuration file /etc/nginx/nginx.conf test failed\n’). Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/www.sendthemtomir.com/fullchain.pem (failure)

The following certs are not due for renewal yet:
/etc/letsencrypt/live/music.sendthemtomir.com/fullchain.pem expires on 2019-04-08 (skipped)
/etc/letsencrypt/live/mab.sendthemtomir.com/fullchain.pem expires on 2019-04-14 (skipped)
/etc/letsencrypt/live/mir.rocks/fullchain.pem expires on 2019-03-07 (skipped)
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/www.sendthemtomir.com/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)

Did you have a CHAT site, that is no longer using a cert but seems to still be configured to use a cert?

Yes, I did have a chat site. I removed it, but there was still a reference in sites-enabled. I just removed it.

╰─➤ certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/music.sendthemtomir.com.conf

Cert not yet due for renewal

Processing /etc/letsencrypt/renewal/mab.sendthemtomir.com.conf

Cert not yet due for renewal

Processing /etc/letsencrypt/renewal/mir.rocks.conf

Cert not yet due for renewal

Processing /etc/letsencrypt/renewal/www.sendthemtomir.com.conf

Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.sendthemtomir.com
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (www.sendthemtomir.com) from /etc/letsencrypt/renewal/www.sendthemtomir.com.conf produced an unexpected error: urn:ietf:params:acme:error:rateLimited :: There were too many requests of a given type :: Error finalizing order :: too many certificates already issued for exact set of domains: www.sendthemtomir.com: see https://letsencrypt.org/docs/rate-limits/. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/www.sendthemtomir.com/fullchain.pem (failure)

The following certs are not due for renewal yet:
/etc/letsencrypt/live/music.sendthemtomir.com/fullchain.pem expires on 2019-04-08 (skipped)
/etc/letsencrypt/live/mab.sendthemtomir.com/fullchain.pem expires on 2019-04-14 (skipped)
/etc/letsencrypt/live/mir.rocks/fullchain.pem expires on 2019-03-07 (skipped)
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/www.sendthemtomir.com/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)

OK, now you just have to wait out the limit (5 per name/day - or something like that).
Check it here: https://letsdebug.net/www.sendthemtomir.com/16080

On a different server with ssdnodes that’s been down for a couple of days now.

Do you know where the other 5 certificates created over the last few days are?

Can you post “sudo ls -alR /etc/letsencrypt/{archive,live,renewal}”?

Edit: Oh. Never mind.

Edit: As the documentation says, you can work around the duplicate certificate rate limit by issuing certificates that aren’t duplicates: You can add a second (valid) (sub)domain.

Thanks to everyone for all the extremely responsive and fast help! I was able to get a wildcert cert for *.sendthemtomir.com which is now working.

Oh. Yes, that works too!

Don’t forget that it will expire in 90 days. If you did the validation manually, you’ll have to do it again to renew it.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.