Site down, can't renew


#1

My domain is:
www.sendthemtomir.com

I ran this command:
certbot certonly

It produced this output:
╰─➤ certbot certonly
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?


1: Nginx Web Server plugin (nginx)
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)


Select the appropriate number [1-3] then [enter] (press ‘c’ to cancel): 1
Plugins selected: Authenticator nginx, Installer None
Please enter in your domain name(s) (comma and/or space separated) (Enter ‘c’
to cancel): www.sendthemtomir.com
Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.sendthemtomir.com
Waiting for verification…
Cleaning up challenges
An unexpected error occurred:
There were too many requests of a given type :: Error finalizing order :: too many certificates already issued for exact set of domains: www.sendthemtomir.com: see https://letsencrypt.org/docs/rate-limits/
Please see the logfiles in /var/log/letsencrypt for more details.

My web server is (include version):
ii nginx-common 1.14.2-2 all small, powerful, scalable web/proxy server - common files
ii nginx-full 1.14.2-2 amd64 nginx web/proxy server (standard version)

The operating system my web server runs on is (include version):
╰─➤ uname -a
Linux sendthemtomir.com 4.18.16-x86_64-linode118 #1 SMP PREEMPT Mon Oct 29 15:38:25 UTC 2018 x86_64 GNU/Linux

My hosting provider, if applicable, is:
Linode

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no


#2

Hi @corwin

why do you want to create a new certificate? You have created some certificates:

https://transparencyreport.google.com/https/certificates?cert_search_auth=&cert_search_cert=p:c2VuZHRoZW10b21pci5jb206ZmFsc2U6dHJ1ZTo6RUFFPQ&cert_search=include_expired:false;include_subdomains:true;domain:sendthemtomir.com&lu=cert_search_cert

Where are these? Isn’t it possible to use one of these certificates?


#3

PS: Your non-www version ( https://check-your-website.server-daten.de/?q=sendthemtomir.com )

Domainname Http-Status redirect Sec. G
http://sendthemtomir.com/
66.175.222.18 301 https://www.sendthemtomir.com/ 0.350 E
http://www.sendthemtomir.com/
66.175.222.18 301 https://www.sendthemtomir.com/ 0.353 A
https://sendthemtomir.com/
66.175.222.18 502 4.390 N
Bad Gateway
Certificate error: RemoteCertificateNameMismatch, RemoteCertificateChainErrors
https://www.sendthemtomir.com/
66.175.222.18 200 3.837 N
Certificate error: RemoteCertificateChainErrors

has a 502, Bad Gateway. But this is a different problem. Your www-version works.


#4

The “problem” may be in your expectations of that command.
certonly does just that: CERT ONLY
[or perhaps better stated: ONLY CERT]

You probably already have a valid (renewed) cert in your system.
Please show:
certbot certificates

Ideally you would renew with just:
certbot renew

[edit] Maybe you just need to restart your web service…


#5

╰─➤ certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Revocation status for /etc/letsencrypt/live/www.sendthemtomir.com/cert.pem is unknown


Found the following certs:
Certificate Name: music.sendthemtomir.com
Domains: music.sendthemtomir.com
Expiry Date: 2019-04-08 13:00:43+00:00 (VALID: 83 days)
Certificate Path: /etc/letsencrypt/live/music.sendthemtomir.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/music.sendthemtomir.com/privkey.pem
Certificate Name: mab.sendthemtomir.com
Domains: mab.sendthemtomir.com
Expiry Date: 2019-04-14 18:21:29+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/mab.sendthemtomir.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/mab.sendthemtomir.com/privkey.pem
Certificate Name: mir.rocks
Domains: *.mir.rocks
Expiry Date: 2019-03-07 18:02:35+00:00 (VALID: 51 days)
Certificate Path: /etc/letsencrypt/live/mir.rocks/fullchain.pem
Private Key Path: /etc/letsencrypt/live/mir.rocks/privkey.pem
Certificate Name: www.sendthemtomir.com
Domains: www.sendthemtomir.com
Expiry Date: 2018-12-18 15:35:12+00:00 (INVALID: EXPIRED)
Certificate Path: /etc/letsencrypt/live/www.sendthemtomir.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.sendthemtomir.com/privkey.pem



#6

╰─➤ certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/music.sendthemtomir.com.conf


Cert not yet due for renewal


Processing /etc/letsencrypt/renewal/mab.sendthemtomir.com.conf


Cert not yet due for renewal


Processing /etc/letsencrypt/renewal/mir.rocks.conf


Cert not yet due for renewal


Processing /etc/letsencrypt/renewal/www.sendthemtomir.com.conf


Cert is due for renewal, auto-renewing…
Error while running nginx -c /etc/nginx/nginx.conf -t.

nginx: [emerg] BIO_new_file("/etc/letsencrypt/live/chat.sendthemtomir.com/fullchain.pem") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen(’/etc/letsencrypt/live/chat.sendthemtomir.com/fullchain.pem’,‘r’) error:2006D080:BIO routines:BIO_new_file:no such file)
nginx: configuration file /etc/nginx/nginx.conf test failed

Could not choose appropriate plugin: The nginx plugin is not working; there may be problems with your existing configuration.
The error was: MisconfigurationError(‘Error while running nginx -c /etc/nginx/nginx.conf -t.\n\nnginx: [emerg] BIO_new_file("/etc/letsencrypt/live/chat.sendthemtomir.com/fullchain.pem") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen(’/etc/letsencrypt/live/chat.sendthemtomir.com/fullchain.pem’,‘r’) error:2006D080:BIO routines:BIO_new_file:no such file)\nnginx: configuration file /etc/nginx/nginx.conf test failed\n’)
Attempting to renew cert (www.sendthemtomir.com) from /etc/letsencrypt/renewal/www.sendthemtomir.com.conf produced an unexpected error: The nginx plugin is not working; there may be problems with your existing configuration.
The error was: MisconfigurationError(‘Error while running nginx -c /etc/nginx/nginx.conf -t.\n\nnginx: [emerg] BIO_new_file("/etc/letsencrypt/live/chat.sendthemtomir.com/fullchain.pem") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen(’/etc/letsencrypt/live/chat.sendthemtomir.com/fullchain.pem’,‘r’) error:2006D080:BIO routines:BIO_new_file:no such file)\nnginx: configuration file /etc/nginx/nginx.conf test failed\n’). Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/www.sendthemtomir.com/fullchain.pem (failure)


The following certs are not due for renewal yet:
/etc/letsencrypt/live/music.sendthemtomir.com/fullchain.pem expires on 2019-04-08 (skipped)
/etc/letsencrypt/live/mab.sendthemtomir.com/fullchain.pem expires on 2019-04-14 (skipped)
/etc/letsencrypt/live/mir.rocks/fullchain.pem expires on 2019-03-07 (skipped)
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/www.sendthemtomir.com/fullchain.pem (failure)


1 renew failure(s), 0 parse failure(s)


#7

Did you have a CHAT site, that is no longer using a cert but seems to still be configured to use a cert?


#8

Yes, I did have a chat site. I removed it, but there was still a reference in sites-enabled. I just removed it.


#9

╰─➤ certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/music.sendthemtomir.com.conf


Cert not yet due for renewal


Processing /etc/letsencrypt/renewal/mab.sendthemtomir.com.conf


Cert not yet due for renewal


Processing /etc/letsencrypt/renewal/mir.rocks.conf


Cert not yet due for renewal


Processing /etc/letsencrypt/renewal/www.sendthemtomir.com.conf


Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.sendthemtomir.com
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (www.sendthemtomir.com) from /etc/letsencrypt/renewal/www.sendthemtomir.com.conf produced an unexpected error: urn:ietf:params:acme:error:rateLimited :: There were too many requests of a given type :: Error finalizing order :: too many certificates already issued for exact set of domains: www.sendthemtomir.com: see https://letsencrypt.org/docs/rate-limits/. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/www.sendthemtomir.com/fullchain.pem (failure)


The following certs are not due for renewal yet:
/etc/letsencrypt/live/music.sendthemtomir.com/fullchain.pem expires on 2019-04-08 (skipped)
/etc/letsencrypt/live/mab.sendthemtomir.com/fullchain.pem expires on 2019-04-14 (skipped)
/etc/letsencrypt/live/mir.rocks/fullchain.pem expires on 2019-03-07 (skipped)
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/www.sendthemtomir.com/fullchain.pem (failure)


1 renew failure(s), 0 parse failure(s)


#10

OK, now you just have to wait out the limit (5 per name/day - or something like that).
Check it here: https://letsdebug.net/www.sendthemtomir.com/16080


#11

On a different server with ssdnodes that’s been down for a couple of days now.


#12

Do you know where the other 5 certificates created over the last few days are?

Can you post “sudo ls -alR /etc/letsencrypt/{archive,live,renewal}”?

Edit: Oh. Never mind.

Edit: As the documentation says, you can work around the duplicate certificate rate limit by issuing certificates that aren’t duplicates: You can add a second (valid) (sub)domain.


#13

Thanks to everyone for all the extremely responsive and fast help! I was able to get a wildcert cert for *.sendthemtomir.com which is now working.


#14

Oh. Yes, that works too!

Don’t forget that it will expire in 90 days. If you did the validation manually, you’ll have to do it again to renew it.


closed #15

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.