Test hook & rate limit

chronotech · April 3, 2020, 8:16am

Hi !

I’m scripting a deploy hook and i want to test it but i get a rate limit error
How can i test my deploy hook script ?

Commands:

# nano /etc/letsencrypt/renewal-hooks/deploy/mysuperscript.ssh
# certbot renew --force-renewal

Results:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/mysuperdomain.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Plugins selected: Authenticator dns-rfc2136, Installer None
Renewing an existing certificate
Attempting to renew cert (mysuperdomain.com) from /etc/letsencrypt/renewal/mysuperdomain.com.conf produced an unexpected error: urn:ietf:params:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new order :: too many certificates already issued for exact set of domains: *.mysuperdomain.com,mysuperdomain.com: see https://letsencrypt.org/docs/rate-limits/. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/mysuperdomain.com/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/mysuperdomain.com/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

9peppe · April 3, 2020, 8:24am

or

chronotech · April 3, 2020, 8:46am

OK!

I tried to use de staging environment (Staging Environment - Let's Encrypt) with the dry-run parameter but it skip the deploy hook command :

Dry run: skipping deploy hook command: /etc/letsencrypt/renewal-hooks/deploy/mysuperscript.ssh

Did i forget something ?

Commands:

# certbot renew --force-renewal --dry-run

Results:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/mysuperdomain.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Plugins selected: Authenticator dns-rfc2136, Installer None
Renewing an existing certificate
Dry run: skipping deploy hook command: /etc/letsencrypt/renewal-hooks/deploy/mysuperscript.ssh

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/mysuperdomain.com/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/mysuperdomain.com/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

9peppe · April 3, 2020, 8:47am

your use case is different than what --dry-run expects. You should use --test or --staging explicitly (and be careful because they can replace your valid cert with an invalid one, specify a different --cert-name):

chronotech · April 3, 2020, 9:40am

OK !

My certificate is not in production soo i deleted the production’s cert :

# cd /etc/letsencrypt
# certbot delete --cert-name mysuperdomain.com

Then i created the staging certificate and force renew it :

# certbot certonly --dns-rfc2136 --dns-rfc2136-credentials .secrets/mysuperdomain.com.tsig -d mysuperdomain.com -d *.mysuperdomain.com –staging
# certbot renew --force-renewal --staging --cert-name mysuperdomain.com

With a successfull result

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/mysuperdomain.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Plugins selected: Authenticator dns-rfc2136, Installer None
Renewing an existing certificate
Running deploy-hook command: /etc/letsencrypt/renewal-hooks/deploy/mysuperscript.ssh

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/mysuperdomain.com/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/mysuperdomain.com/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Thank for your help !

system · May 3, 2020, 9:40am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Strange rate limit hit Help	2	609	June 5, 2019
Renew_hook in in the /renewal/domain.conf file? Help	13	3167	August 2, 2023
Reach rate limit? Help	7	1013	November 28, 2019
`certbot renew` overwriting renewal file Help	6	1519	May 19, 2020
How can I test manual hooks with the current limits? Help	5	981	April 21, 2018

Test hook & rate limit

Related topics