Sslforfree urn:acme:error:rateLimited

Hi,

yesterday I tried to renew (and create) certificates on a Ubuntu VM via the command line letsencrypt tool. While the tool reported that the certificate was renewed/created successfully, successive restarting the nginx webserver always failed (with certificate errors). Unfortunately I repeated the process several times, following multiple tutorials, with no success.

Today, I was made aware of our old admin, that he also experienced issues when trying the command line tools directly and told me that I have to do it the way he did, i.e. use sslforfree to successfully recreate/renew the certificate. I followed the instructions given by the site (manual verification via the upload of a file). Following the instructions, I now got following error (rateLimit exceeded):

Certificate signature failed. If you supplied your own CSR make sure the domains on it match what you put on SSLForFree. If there is a rate limiting error at the end of this paragraph certificates per Domain is currently 5 per 7 days. Try asking Lets Encrypt to increase the limit or wait 7 days. Rate limits should increase in the near future. { “type”: “urn:acme:error:rateLimited”, “detail”: “Error creating new cert :: too many certificates already issued for exact set of domains: daimler-c03.vrcm.rocket-di.com”, “status”: 429 }

Since the results suggests to ask LetsEncrypt to increase the limit, I would like to ask if it is possible to reset/increase the limit within a short period of time. Or do I have to wait for the timespan of 7 days before I can try to renew the certificate again.

Also I read on this site that the limit has been increased to 20, so is our domain configuration out of date?
I would be really glad I you could help us out on short notice. Otherwise I will wait for a week and try again.

My apologies for the inconvenience & many thanks in advance for any help.
Best

You've triggered the Duplicate Certificate rate limit, which is 5 per week. (Actually, due to a minor issue, it's currently 6.)

https://crt.sh/?q=daimler-c03.vrcm.rocket-di.com

You haven't rriggered the Certificates per Registered Domain limit, which is 20 per week.

https://crt.sh/?q=%rocket-di.com

By my count, there are about 18, so you're getting very close, and won't have many more chances before the 16th.

You ought to be able to issue a certificate for daimler-c03.vrcm.rocket-di.com plus another name. For example, "daimler-c03.vrcm.rocket-di.com, daimler-c04.vrcm.rocket-di.com" or "daimler-c03.vrcm.rocket-di.com, www.example.net". Just find or create some other (sub)domain you can validate, and use it. That will bypass the Duplicate Certificate limit, since it's not a duplicate, while still counting towards the Certificates per Registered Domain limit for every domain involved.

Rate limit increase requests take more than 7 days to process, and wouldn't be approved for this reason.

Edited to add:

In future, you can use the staging environment to create test certificates while working things out. If you're using the Certbot client, use "letsencrypt --staging" or "certbot --staging".

And if you can post more information about the Nginx issue, we may be able to help with it. :slightly_smiling_face:

Thanks for the fast reply!

Since my colleagues might increase the Certificates per Registered Domain within the next days, I don’t want to unneccesarily increase the count. Thus, I will just wait for a week before i try again.

Again, thanks for the help.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.