Too many certificates already issued for domain; unclear how limit was hit

I’m aware that there is a 20 certs per domain per week limit, but I’ve only added 2 subdomains to the caddyfile in the past month.

I’ve been reloading the config a lot to change stuff, so caddy may have gotten new certificates for the domain.

Been trying again and again the past days and well, the error continued coming up.

I’ve tried to look up the certs at crt.sh, but I didn’t get any wiser with it.

My domain is:
working/existing certs: chagemann.de vue.chagemann.de proxy.chagemann.de (total of 17-18 domains running with letsencrypt/caddy)

cant get certs for: proxy-arbitrage.chagemann.de arbitrage.chagemann.de
I ran this command:
caddy -log stdout
It produced this output:

Activating privacy features...2017/12/20 20:51:53 [INFO][proxy-arbitrage.chagemann.de] acme: Obtaining bundled SAN certificate
2017/12/20 20:51:54 [INFO][proxy-arbitrage.chagemann.de] AuthURL: https://acme-v01.api.letsencrypt.org/acme/authz/4Ks5bYUZ9wTabFRG1fycgBCimCCwQbuN3l1hcQLQGs4
2017/12/20 20:51:54 [INFO][proxy-arbitrage.chagemann.de] acme: Authorization already valid; skipping challenge
2017/12/20 20:51:54 [INFO][proxy-arbitrage.chagemann.de] acme: Validations succeeded; requesting certificates
2017/12/20 20:51:55 [proxy-arbitrage.chagemann.de] failed to get certificate: acme: Error 429 - urn:acme:error:rateLimited - Error creating new cert :: too many certificates already issued for: chagemann.de

My web server is (include version):
caddy 0.10.9

The operating system my web server runs on is (include version):
linux ubuntu 14.04

My hosting provider, if applicable, is:
-

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no

One possibility (although I’m not sure if this is exactly what happened): While renewals are exempt from the rate limit in the sense that you can still renew even if you’ve already reached the limit, renewals do still count towards the limit. So if you have 15 domains to renew and 10 new ones to add, you can add the 10 new ones and renew the 15, but you can’t renew the 15 and then add 10 new ones, because after the first 5 new certs you’ll have hit the limit and will only be able to renew.

I don’t know how caddy schedules renewals though, so I may be talking through my hat.

Looks like you’re right. A ton of single-name certificates were renewed 2017-12-14:

https://crt.sh/?q=%chagemann.de

Twice, in fact.

Take this subdomain as an example:

https://crt.sh/?q=kopiernudel.chagemann.de

Created 2017-05-15; renewed 2017-07-27, 2017-09-26, 2017-12-14, 2017-12-14.

Since it’s a one week rate limit, at least it will be okay tomorrow.

Ideally the client would put all the names in one certificate.

Thank you a lot, the % in %chagemann.de enabled me to show all certs of all subdomains.

I was now able to issue new certs.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.