Too many certificates already issued fo


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: https://bijouterie-jewelry.com/

I ran this command: I can not issue a certificate. I did not comply with the request to create more than 20 certificates a week. However, I can not get a certificate for the primary domain.

Earlier, I received a certificate for more than 90 domains (ordering them in turn 20 times a week). It was a long time ago. (example kiev.bijouterie-jewelry.com , zp.bijouterie-jewelry.com & more subdomains)
However, today I can not order a new certificate for my https://bijouterie-jewelry.com/

It produced this output: too many certificates already issued fo https://bijouterie-jewelry.com/ (But I want to emphasize - this week I turned only once. 7/06/2018). Unfortunately I do not understand. I have not broken the limit.

My web server is (include version): I don’t know

The operating system my web server runs on is (include version): I don’t know

My hosting provider, if applicable, is: https://www.ukraine.com.ua/ I use a admin page to manage. Unfortunately, support could not help me, I was sent to you. Because they can not understand why it is not possible to issue a certificate.

I can login to a root shell on my machine (yes or no, or I don’t know): I don’t know

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no


#2

You’ve definitely hit the 20/week limit this week: https://letsdebug.net/bijouterie-jewelry.com/1408?debug=y#RateLimit-Debug

Some of these may have been renewals. You need to be aware that while renewals are not blocked by rate limits, they do contribute to rate limits: https://letsencrypt.org/docs/rate-limits/

To make sure you can always renew your certificates when you need to, we have a Renewal Exemption to the Certificates per Registered Domain limit. Even if you’ve hit the limit for the week, you can still issue new certificates that count as renewals. An issuance request counts as a renewal if it contains the exact same set of hostnames as a previously issued certificate. This is the same definition used for the Duplicate Certificate limit described above. Renewals are still subject to the Duplicate Certificate limit. Also note: the order of renewals and new issuances matters. To get the maximum possible number of certificates, you must perform all new issuances before renewals during a given time window.


#3

Sorry, I do not understand what to do. (Could you issue a certificate for my site? ( bijouterie-jewelry.com & www.bijouterie-jewelry.com )
That’s all I’m asking. This is not an update. This is a new certificate.

What are my steps?

If I understood you correctly, I can not get a certificate, because my subdomains are updated on 20 pieces per week. Yes, they are updated.

But how can I issue a new certificate? In total, I have 94 certificates for subdomains.
This means that I can not get a new certificate ever. After all, every week the limit will be exhausted automatically. Right?

Help me please. I’m desperate.


#4

The solution lies in this quote from the rate limit documentation:

the order of renewals and new issuances matters. To get the maximum possible number of certificates, you must perform all new issuances before renewals during a given time window.

Right now, you can’t issue new certificates. It’s too late to do anything.

When your rate limits begin to subside (~31h from now), ensure that your new certificates are issued before any renewals take place. You may need to suspend/defer your renewals until afterwards.

This allows your full rate limit (20 certificate/week) to be used on new certificates, and you will then be able to complete the renewals afterwards.

Have you considered just using a wildcard certificate? I see that you issued one recently.

Is this the actual certificate you’re trying to get? It should be possible to get it under the Renewal Exemption, since it has been issued previously: https://crt.sh/?id=375709928


#5

It seems I did not issue a wildcard certificate, I only used individual certificates for each subdomain.

Perhaps this will be a solution? Since January 2018, can I release a wildcard? To cover the main domain and all of my 94 subdomains.

I understand correctly? How do I get a wildcard?


#6

Are you sure about that?

Somebody issued a wildcard for *.bijouterie-jewelry.com a day ago: https://crt.sh/?id=511113377

Yes, it has been possible to get wildcards for a few months now. If you get a certificate for:

  • *.bijouterie-jewelry.com
  • bijouterie-jewelry.com

that should suit your needs perfectly.


#7

yes, I’m sure I did not do it. Perhaps it was the managers of my hosting. Probably they were trying to help me.

Do I understand correctly? Do I already have a certificate? I just did not know about this?
How to use this?

I’m sorry if my questions are stupid.


#8

It depends what type of web hosting you have.

With Certbot, you can use a command like:

certbot certonly --server https://acme-v02.api.letsencrypt.org/directory \
-d "*.bijouterie-jewelry.com" -d "bijouterie-jewelry.com" --manual \
--preferred-challenges dns-01

but if you are using some kind of admin page or control panel to issue certificates, the instructions will probably be different.

Maybe you can ask your web host if they issued the wildcard certificate and how they did it.


#9

I was able to clarify the technical data of my hosting

The operating system my web server runs on is (include version) - CloudLinux 7.5
My web server is (include version) - nginx 1.12.1

can this information help to help me?

I did not find where to install it in the private hosting panel. I asked them a question and I will wait.


#10

What does the second tab: “Let’s Encrypt certificate” show?


#11

it shows the “Install” button.
If you click on this button, there is a wait. Then nothing happens.

Tech support explains this by returning an error “too many certificates already issued for bijouterie-jewelry.com” . Thus, the notification that the request was sent and should be waited 24 hours is reset. As a result, we again see the “Install” button. And so on a circle. An endless process leads again to the “install” (установить)

Earlier you sent this link. Is this my wildcard certificate? Where to write it? there are so many lines.
https://crt.sh/?id=511113377 the only place where you can write it - on the screen number 1, only 3 fields.


#12

Ultimately this all comes down to whether your hosting panel supports issuing a single wildcard certificate for: bijouterie-jewelry.com and *.bijouterie-jewelry.com. I do not recognize your hosting panel so I’m not sure if it does.

Your rate limit should allow one more certificate in ~31 hours. At that point, you can ask your host if it is possible to issue a wildcard using the hosting panel.

if it’s not possible, it may be possible to issue one manually using a site like zerossl.com or httpsforfree.com and then install it to your hosting panel.

Unfortunately that certificate would not be usable in your case because it is a “precertificate” (not important to understand) and because it does not include the base domain.


#13

the support service managed to order a certificate, despite the fact that the limit is exhausted.
They installed a certificate for the site www.bijouterie-jewelry.com

but for the site
bijouterie-jewelry.com

the certificate does not work.

I do not understand.
Help me please.

I spent 2 days to solve this problem.

You said that my limit is exhausted.
What is the situation now?

Now my limit has been cleared?
How did they manage to issue a certificate for www.bijouterie-jewelry.com ???

The certificate is not available for the main site bijouterie-jewelry.com (whithout WWW)

help me please.

you said you should wait 31 hours.

What is this figure now?


#14

Are you sure? Everything appears to be fine for both sites, using a Let’s Encrypt certificate and everything:

https://www.ssllabs.com/ssltest/analyze.html?d=bijouterie-jewelry.com&s=185.104.45.24
https://www.ssllabs.com/ssltest/analyze.html?d=www.bijouterie-jewelry.com&s=185.104.45.24


#15

hi. Literally a couple of minutes ago I managed to do it. But by hand.
i use https://www.sslforfree.com/
I hope it’s safe?


#16

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.