Too many certificates already issued after 168 hours of waiting

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: alan-blanchet.fr

I ran this command: certbot renew

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/alan-blanchet.fr.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator standalone, Installer None
Renewing an existing certificate
Attempting to renew cert (alan-blanchet.fr) from /etc/letsencrypt/renewal/alan-blanchet.fr.conf produced an unexpected error: urn:ietf:params:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new order :: too many certificates (5) already issued for this exact set of domains in the last 168 hours: alan-blanchet.fr: see https://letsencrypt.org/docs/duplicate-certificate-limit/. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/alan-blanchet.fr/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/alan-blanchet.fr/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

My web server is (include version):
Server version: Apache/2.4.38 (Debian)
Server built: 2021-12-21T16:50:43

The operating system my web server runs on is (include version):
NAME="Debian GNU/Linux"
VERSION_ID="10"
VERSION="10 (buster)"
VERSION_CODENAME=buster
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="Debian -- User Support"
BUG_REPORT_URL="https://bugs.debian.org/"

My hosting provider, if applicable, is:
hostinger.com

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 0.31.0

Hello,
I believe it's been more than a week since I tried to renew my certificates (168/24=7 days) and I still can't renew my certificats.
The certbot --dry-run renew command works perfectly. It's just that the delay seams incorrect. Is there any way you can help ?

Thanks.
Alan Blanchet.

2 Likes

This calculation is indeed correct, but the rate limits are actually based on the hours (or even minutes!) than the days. Rounded off it might have been 7 days, but if you look at the actual time of issuance, you need to wait a few hours.

If you look at your certificate history at crt.sh | alan-blanchet.fr you can see the 5th certificate in line from recent to later is crt.sh | 7019141705, which was issued on 2022-06-28 00:04:26 UTC (note that the "Not before" timestamp is pre-dated one hour to compensate for clock skew in clients, so freshly issued certificates won't cause trouble for some users.)

By the way, may I urge you to NOT issue so much duplicate certificates? Usually this is not necessary. Note that testing/experimenting should be done on the staging environment.

10 Likes

Hello Osiris and thanks for your reply,
I didn't even know that such website (crt.sh) existed and I'm really pleased with your answer.
I will stop issuing so many certificats. I had a hard time making my server work properly...

Thank you very much, you helped me a lot !
Have a good day.

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.