SSL request: Shows up multiple times on the transparency report

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g., so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:
le64 --key account.key --email “” --csr “riskmgr-letsencrypt-wildcard-auto.csr” --handle-as dns --api 2 --csr-key “private-riskmgr-20190712.pem” --domains “*,” --generate-missing -crt riskmgr-letsencrypt-wildcard.crt --live

It produced this output:
I don’t have the out any more , but there was a failure to verify and a success

My web server is (include version):
IIS 8.5

The operating system my web server runs on is (include version):
Windows Server 2012 R2

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): ZeroSSL Crypt::LE client V0.31

I have been trying to renew my wildcard ssl cert. After a few attempts I was successful. However I couldn’t unpack the crt to *.pfx file. The *pem key didn’t match up ? So I retried renewing again, and I got another ssl cert. But failed again due to the key issue. So before I hit the rate limit I tried a completely new account key, which this time did hit the rate limit. What am I doing wrong which procedures should i have taken?

My ssl requests

I checked the site and saw that I had multiple SSL cert, where as I just needed 1. Any help to improve my process and to avoid hitting the limit would be appreciated. Thanks.

Here is my full command :
openssl genrsa -des3 -out private-riskmgr-20190712.pem 2048
le64 --key account.key --email “” --csr “riskmgr-letsencrypt-wildcard-auto.csr” --handle-as dns --api 2 --csr-key “private-riskmgr-20190712.pem” --domains “*,” --generate-missing -crt riskmgr-letsencrypt-wildcard.crt --live

openssl pkcs12 -inkey private-riskmgr-20190712.pem -in riskmgr-letsencrypt-wildcard.crt -export -out riskmgr-letsencrypt-wildcard.pfx <======= produced “No certificate matches private key”

Hi @jose

you have created 5 identical certificates today - - Make your website better - DNS, redirects, mixed content, certificates

Issuer not before not after Domain names LE-Duplicate next LE
Let's Encrypt Authority X3 2019-07-12 2019-10-10 *, - 2 entries duplicate nr. 5 next Letsencrypt certificate: 2019-07-19 08:20:19
Let's Encrypt Authority X3 2019-07-12 2019-10-10 *, - 2 entries duplicate nr. 4
Let's Encrypt Authority X3 2019-07-12 2019-10-10 *, - 2 entries duplicate nr. 3
Let's Encrypt Authority X3 2019-07-12 2019-10-10 *, - 2 entries duplicate nr. 2
Let's Encrypt Authority X3 2019-07-12 2019-10-10 *, - 2 entries duplicate nr. 1

That's not a failure, there are enough certificates.

Your domain is invisible, only timeouts.

Looks like you use the wrong combination of private and public key.

Check date / time of your private keys and certificates to find the correct private key.

Thanks for the quick reply.

I don’t know how I made duplicates, besides retying with the same command. Is there a different command to renewing (*)certificates?

I’ll try the keys again, I think it is likely that I messed up and can’t the correct key anymore. How do I not create 5 duplicates ?

Thanks in advance.

That creates duplicates.

One time is enough. It's an installation problem, not a certificate creation problem.

Then you have to wait - 2019-07-19.

That’s unfortunate.

I just retried the combination of key / certificates. I found one that works. Thanks for your advice. I’ll try and see if there is a simpler way to do this. If you have any recommendation I would love to hear it. Have a nice weekend and thanks for your help :smile:

By default the produced crt file would contain 2 certificates - the one of your domain and an intermediate one. If you need to produce a pfx version of the certificate, you can either remove that additional intermediate certificate from crt before the conversion, or (which is a better option) just use the native option of the client to produce a pfx along with crt - see --export-pfx option description.

Thank you! I’ll will look this information up. This should improve some error prone mistakes.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.