There were too many requests of a given type :: Error creating new cert :: too many certificates already issued for:

Help
1

Hi
I would like to add new subdomain to my existing cert and I have a problem with limit error.
Error is " too many certificates already issued" but I don’t create certificates over limit - last time when I success created cert was: 2018-04-19.

I don’t have that error never before and I don’t know where the problem is.

My domain is:
lp-portal.pl

I ran this command:
sudo certbot certonly --authenticator webroot -w /pat/to/web/ --installer apache --email admin@lp-portal.pl --expand --eff-email --cert-name gminy.lp-portal.pl -d gminabrzeznica.lp-portal.pl -d gminabrudzew.lp-portal.pl …… kolaczkowo.lp-portal.pl -d gminajutrosin.lp-portal.pl

It produced this output:
There were too many requests of a given type :: Error creating new cert :: too many certificates already issued for: lp-portal.pl: see https://letsencrypt.org/docs/rate-limits/
b’{\n “type”: “urn:acme:error:rateLimited”,\n “detail”: “Error creating new cert :: too many certificates already issued for: lp-portal.pl: see https://letsencrypt.org/docs/rate-limits/”,\n “status”: 429\n}’

My web server is (include version):
Server version: Apache/2.4.18 (Ubuntu)

The operating system my web server runs on is (include version):
Description: Ubuntu 16.04.3 LTS

My hosting provider, if applicable, is:
dedicated server

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no

CRON:
15 3 * * * root /usr/bin/certbot renew --quiet

CRT.SH:
https://crt.sh/?q=lp-portal.pl

btw.

  1. Today I upgraded certbot but it doesn’t help.

  2. I have 10 different certificates that contains list of subdomains. Each contains some groups of subdomains, eg:
    cert_a: a1.lp-portal.pl, a2.lp-portal.pl …
    cert_b: b1.lp-portal.pl, b2.lp-portal.pl …
    All in thise same main domain ‘lp-portal.pl’ and with these same webroot ‘/pat/to/web/’

2

Try this: crt.sh | %lp-portal.pl

I think you should be able to issue a certificate now (barely).

3

Now i can do it. I don’t understand what was wrong?

4

You were sitting exactly on the limit (20 certificates per Registered Domain per Week).

Between you gathering that error information and trying again, the window shifted over so that you were at 19. If you try again for a new certificate, I suspect you may be rate limited yet again.

5

But I don’t created 20 certs in last 7 days.

From 2018-04-16 I only add (4 times) new subdomain to existing certificate (includes today updated certificate with new subdomain!).

When I would like to add new subdomain I get actual subdomains list (by command):
$: certbot certificates

Then search for my “Certificate Name”, copy list of “Domains:”, repleace space to " -d ", add new subdomain to the end and run:
$: sudo certbot certonly --authenticator webroot -w /pat/to/web/ --installer apache --email admin@lp-portal.pl --expand --eff-email --cert-name gminy.lp-portal.pl -d gminabrzeznica.lp-portal.pl …OTHERS_SUBDOMAINS.lp-portal.pl… -d NEW_SUBDOMAIN_NAME.lp-portal.pl

I know that when I add new subdomain to existed certificate then I create new certificate and limit was decreased.

What am I doing wrong?
How Can I check that the limit is over?

6

But you did. Maybe not intentionally - maybe they were renewals and you thought they did not count. You created 19 certs in the last 7 days (counting from right now), and 20 certs in the last 8 days:

2018-04-22 02:59:14 +0000 UTC https://crt.sh/?id=413402963    names=[wadowice.lp-portal.pl www.wadowice.lp-portal.pl]
2018-04-22 02:59:11 +0000 UTC https://crt.sh/?id=413324002    names=[gminalidzbarkwarminski.lp-portal.pl www.gminalidzbarkwarminski.lp-portal.pl]
2018-04-21 09:46:11 +0000 UTC https://crt.sh/?id=416411517    names=[powiatbedzin.lp-portal.pl powiatbochnia.lp-portal.pl powiatchojnice.lp-portal.pl powiatchoszczno.lp-portal.pl powiatczarnkow.lp-portal.pl powiatdrawskopomorskie.lp-portal.pl powiatgniezno.lp-portal.pl powiatgolubdobrzyn.lp-portal.pl powiatgorlice.lp-portal.pl powiatgrodziskwielkopolski.lp-portal.pl powiatgrudziadz.lp-portal.pl powiatgryfice.lp-portal.pl powiatilawa.lp-portal.pl powiatinowroclaw.lp-portal.pl powiatjarocin.lp-portal.pl powiatjaroslaw.lp-portal.pl powiatjaslo.lp-portal.pl powiatkamienpomorski.lp-portal.pl powiatkolobrzeg.lp-portal.pl powiatkonin.lp-portal.pl powiatkoscian.lp-portal.pl powiatkrapkowice.lp-portal.pl powiatkrasnystaw.lp-portal.pl powiatkutno.lp-portal.pl powiatleszno.lp-portal.pl powiatlubin.lp-portal.pl powiatmyslenice.lp-portal.pl powiatostroleka.lp-portal.pl powiatostrowwielkopolski.lp-portal.pl powiatoswiecim.lp-portal.pl powiatplonsk.lp-portal.pl powiatpolkowice.lp-portal.pl powiatpoznan.lp-portal.pl powiatproszowice.lp-portal.pl powiatradom.lp-portal.pl powiatrawicz.lp-portal.pl powiatslupca.lp-portal.pl powiatslupsk.lp-portal.pl powiatsochaczew.lp-portal.pl powiatsrem.lp-portal.pl powiatstaszow.lp-portal.pl powiatstrzyzow.lp-portal.pl powiatswidwin.lp-portal.pl powiatszczecinek.lp-portal.pl powiattarnow.lp-portal.pl powiattorun.lp-portal.pl powiatturek.lp-portal.pl powiatwagrowiec.lp-portal.pl powiatwloszczowa.lp-portal.pl powiatwodzislawslaski.lp-portal.pl powiatwrzesnia.lp-portal.pl powiatzary.lp-portal.pl powiatzgorzelec.lp-portal.pl]
2018-04-21 03:41:13 +0000 UTC https://crt.sh/?id=411314130    names=[gminabrudzew.lp-portal.pl www.gminabrudzew.lp-portal.pl]
2018-04-21 03:09:07 +0000 UTC https://crt.sh/?id=416059482    names=[gminawadowice.lp-portal.pl www.gminawadowice.lp-portal.pl]
2018-04-21 03:08:51 +0000 UTC https://crt.sh/?id=416067640    names=[gminanowytomysl.lp-portal.pl www.gminanowytomysl.lp-portal.pl]
2018-04-21 02:17:50 +0000 UTC https://crt.sh/?id=411083639    names=[powiatradom.lp-portal.pl www.powiatradom.lp-portal.pl]
2018-04-20 10:10:53 +0000 UTC https://crt.sh/?id=409444608    names=[gminajutrosin.lp-portal.pl www.gminajutrosin.lp-portal.pl]
2018-04-20 03:18:59 +0000 UTC https://crt.sh/?id=408154603    names=[s2.lp-portal.pl www.s2.lp-portal.pl]
2018-04-20 03:18:55 +0000 UTC https://crt.sh/?id=408154515    names=[s1.lp-portal.pl www.s1.lp-portal.pl]
2018-04-19 07:27:25 +0000 UTC https://crt.sh/?id=413249188    names=[gminabrudzew.lp-portal.pl gminabrzeznica.lp-portal.pl gminachocianow.lp-portal.pl gminachrzanow.lp-portal.pl gminaczerwonak.lp-portal.pl gminaczluchow.lp-portal.pl gminadlugoleka.lp-portal.pl gminadubiecko.lp-portal.pl gminagoscino.lp-portal.pl gminakartuzy.lp-portal.pl gminaklecko.lp-portal.pl gminakleczew.lp-portal.pl gminakobylnica.lp-portal.pl gminakolbaskowo.lp-portal.pl gminakoscierzyna.lp-portal.pl gminakrasne.lp-portal.pl gminalidzbarkwarminski.lp-portal.pl gminalipiany.lp-portal.pl gminamiedzychod.lp-portal.pl gminamosina.lp-portal.pl gminanoweskalmierzyce.lp-portal.pl gminanowytomysl.lp-portal.pl gminaopalenica.lp-portal.pl gminaopolelubelskie.lp-portal.pl gminaostrowwielkopolski.lp-portal.pl gminarawicz.lp-portal.pl gminasiedlec.lp-portal.pl gminasierakow.lp-portal.pl gminaslupsk.lp-portal.pl gminasmigiel.lp-portal.pl gminaspytkowice.lp-portal.pl gminastargard.lp-portal.pl gminasuchylas.lp-portal.pl gminaswieszyno.lp-portal.pl gminatarnowopodgorne.lp-portal.pl gminatrzemeszno.lp-portal.pl gminaturek.lp-portal.pl gminaustroniemorskie.lp-portal.pl gminawadowice.lp-portal.pl gminawielen.lp-portal.pl gminawyrzysk.lp-portal.pl gminazgierz.lp-portal.pl gminazgorzelec.lp-portal.pl kolaczkowo.lp-portal.pl]
2018-04-19 02:39:02 +0000 UTC https://crt.sh/?id=413070851    names=[gminastargard.lp-portal.pl www.gminastargard.lp-portal.pl]
2018-04-19 02:38:55 +0000 UTC https://crt.sh/?id=405329673    names=[powiatjaroslaw.lp-portal.pl www.powiatjaroslaw.lp-portal.pl]
2018-04-18 06:49:05 +0000 UTC https://crt.sh/?id=402965425    names=[chojnice.lp-portal.pl elblag.lp-portal.pl glogow.lp-portal.pl ilawa.lp-portal.pl konin.lp-portal.pl koszalin.lp-portal.pl krynicazdroj.lp-portal.pl lubin.lp-portal.pl miastobialapiska.lp-portal.pl miastochojnice.lp-portal.pl miastoglogow.lp-portal.pl miastojarocin.lp-portal.pl miastokonin.lp-portal.pl miastokoscierzyna.lp-portal.pl miastokoszalin.lp-portal.pl miastokrynicazdroj.lp-portal.pl miastoleszno.lp-portal.pl miastolubin.lp-portal.pl miastopoznan.lp-portal.pl miastorumia.lp-portal.pl miastosanok.lp-portal.pl miastoslupsk.lp-portal.pl miastosrem.lp-portal.pl miastotrzcianka.lp-portal.pl miastozakopane.lp-portal.pl miastozg.lp-portal.pl mzgklebork.lp-portal.pl ostroleka.lp-portal.pl slupsk.lp-portal.pl srem.lp-portal.pl wadowice.lp-portal.pl zakopane.lp-portal.pl zdmikpbydgoszcz.lp-portal.pl zdpmapy.lp-portal.pl zielonagora.lp-portal.pl]
2018-04-18 04:32:46 +0000 UTC https://crt.sh/?id=411961382    names=[chelmek.lp-portal.pl www.chelmek.lp-portal.pl]
2018-04-18 04:26:43 +0000 UTC https://crt.sh/?id=402694080    names=[powiatradziejow.lp-portal.pl www.powiatradziejow.lp-portal.pl]
2018-04-18 04:26:39 +0000 UTC https://crt.sh/?id=404372618    names=[gminanaklo.lp-portal.pl www.gminanaklo.lp-portal.pl]
2018-04-18 04:26:35 +0000 UTC https://crt.sh/?id=404372537    names=[gminalelis.lp-portal.pl www.gminalelis.lp-portal.pl]
2018-04-18 04:25:46 +0000 UTC https://crt.sh/?id=411953637    names=[ilawa.lp-portal.pl www.ilawa.lp-portal.pl]
2018-04-17 07:48:33 +0000 UTC https://crt.sh/?id=403546802    names=[kolaczkowo.lp-portal.pl www.kolaczkowo.lp-portal.pl]

Renewals are exempt from rate limits (and some of these may have been renewals, I didn't check), but if you try to issue a new certificate, then the rate limit is enforced, including the certificates that were renewed.

@sahsanu's GitHub - sahsanu/lectl: Script to check issued certificates by Let's Encrypt on CTL (Certificate Transparency Log) using https://crt.sh is pretty good.

You might also consider applying for a rate limit exemption if you believe that you need higher limits for your use: Rate Limits - Let's Encrypt

1 Like
7

Wow - I don’t know why there was so much certs. I don’t need them. I have only about 40 certs with many subdomains.

I wonder how it’s possible because I always generate cert manually and add all subdomains separated by ‘-d’.
I supposed that certbot (or my command) worked incorrect . I upgraded it so I hope it will be OK now. I will check it.

Thanks a lot for your help!

1 Like
8

Hello
Already second week as I have been trying to sign the certificate for my virtual server in domain ovh.net.

I run this command:

FQDN=xxxyyy.ovh.net
~/.acme.sh/acme.sh --issue --standalone -d $FQDN

And I get this stable result:

[Tue Apr 24 17:00:14 CEST 2018] Standalone mode.
[Tue Apr 24 17:00:14 CEST 2018] Single domain=‘xxxyyy.ovh.net
[Tue Apr 24 17:00:14 CEST 2018] Getting domain auth token for each domain
[Tue Apr 24 17:00:14 CEST 2018] Getting webroot for domain=‘xxxyyy.ovh.net
[Tue Apr 24 17:00:14 CEST 2018] Getting new-authz for domain=‘xxxyyy.ovh.net
[Tue Apr 24 17:00:15 CEST 2018] The new-authz request is ok.
[Tue Apr 24 17:00:15 CEST 2018] xxxyyy.ovh.net is already verified, skip http-01.
[Tue Apr 24 17:00:15 CEST 2018] Verify finished, start to sign.
[Tue Apr 24 17:00:17 CEST 2018] Sign failed: “detail”:“Error creating new cert :: too many certificates already issued for: ovh.net: see https://letsencrypt.org/docs/rate-limits/
[Tue Apr 24 17:00:17 CEST 2018] Please add ‘–debug’ or ‘–log’ to check more details.
[Tue Apr 24 17:00:17 CEST 2018] See: https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.sh

If it necessary I can provide full debug log.

Please clarify how to fix this problem and at last sign the certificate?!

9

Please create your own new topic for this question, @AntonDiam. When you do, please provide your full non-redacted domain name. We can’t assist you in finding rate limit issues without that, as there are several things that might be going on. Besides, it’s already been publicly (and permanently) logged several times in the certificate transparency logs.

10

You might also want to run certbot certificates to see if you have some old certificates that you don’t need (that may be getting renewed automatically by certbot renew).

11

I run certbot certificates before created this post.

I received:

  • host1 = 18 different certificates (10 for lp-portal.pl domain, each cert contains 1- ~60subdomains),
  • host2 = 2 certificates (1 for lp-portal.pl contains 3 subdomains).

Example (gminabrudzew.lp-portal.pl):
This is cert that I created https://crt.sh/?id=417498963 - it contains subdomains list
but I was never created certificate for single customer domain https://crt.sh/?id=417773301.

Maby certbot do it automaticly when I use ‘apache’ option? I use ‘certonly’ to prevent that.
My commad is:
sudo certbot certonly --authenticator webroot -w /path/to/app/ --installer apache --email admin@lp-portal.pl --expand --eff-email --cert-name <CERT_NAME>.<DOMAIN.pl> -d <SUBDOMAIN_NAME> -d <SUBDOMAIN_NAME> ...

12

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.