Too many certificates already issued for: domain


#1

I’m trying to certificate a subdomain of rentalhost.net and I always get this message. I tried to wait about 10 days (thinking about a softban for some reason) and it not helped.

I think that it is related to I use my main domain to create a lot (about 3 or 4, maybe) of subdomains when my clients have not a main domain, then I certificate it to allows it running over HTTPS until it happen.

My domain is: rentalhost.net

I trying to certificante: gerenciador.cf.rentalhost.net

I ran this command: cPanel AutoSSL “check”

It produced this output:

2:43:16 PM This system has AutoSSL set to use “Let’s Encrypt™”.
2:43:16 PM The website “gerenciador.cf.rentalhost.net”, has a faulty SSL certificate (OPENSSL_VERIFY:0:18:DEPTH_ZERO_SELF_SIGNED_CERT). AutoSSL will attempt to replace this certificate.
2:43:21 PM WARN The domain “mail.gerenciador.cf.rentalhost.net” failed domain control validation: “mail.gerenciador.cf.rentalhost.net” does not resolve to any IPv4 addresses on the internet. at bin/autossl_check.pl line 562.
2:43:21 PM The system will attempt to renew SSL certificates for the following websites:
2:43:21 PM gerenciador.cf.rentalhost.net (gerenciador.cf.rentalhost.net www.gerenciador.cf.rentalhost.net)
2:43:24 PM WARN (XID 8rap2u) The ACME function “https://acme-v01.api.letsencrypt.org/acme/new-cert” indicated an error: “Error creating new cert :: Too many certificates already issued for: rentalhost.net (The request exceeds a rate limit)” (429, “Unknown”, urn:acme:error:rateLimited).
2:43:24 PM The system has completed the AutoSSL check.

My operating system is: CentOS 6.7 x86_64 virtuozzo

My web server is: Apache 2.4

I can login to a root shell on my machine: yes

I’m using a control panel to manage my site: WHM/cPanel 62.0


#2

You’re limited to 20 certificates per registered domain (that’s rentalhost.net in your case - all certificates for subdomains count against the rate limit of that domain) per week. See the rate limit documentation for more details.

You can use crt.sh to search for certificates that include your domain. Doing so will show a large number of certificates issued in the last few days, many of which appear to be ones that are re-issued daily. It does appear like some kind of broken automation. The recommended renewal schedule is 30 days prior to expiration (i.e. every 60 days).

You won’t be able to reset the limit manually - you’ll need to wait for it to expire (7 days after the first certificate that caused the limit to be reached was issued). It does look like the number of subdomains should be manageable within the rate limits if you stick to the recommended renewal schedule.


#3

Looking at Google transparency reports I suspect it may be more than 3 or 4 and in reality several hundred ( currently 734 certificates according to google ) :wink:

The rate limit documentation provides information on what the limits are. Can you provide a little more background on all the subdomains and what you are trying to achieve ?


#4

@pfg @serverco Thanks for reply.

Seems that the cPanel automation is requesting a certificate each day (that is very bad). About the 734 certificates, I am really surprised with that, but seems that is because of broken cPanel integration (or maybe a tweak and I’ll check that). Some domains, like abimip.rentalhost.net, have 49 certificates (one by day or two).

Thanks for help.

I will check my settings or then the cPanel support about this case, and I back with a solution for others that have same issue than me.

Edit: for now, I just disabled the autossl. I will run it manually for now to see if it will fixes my problem.


#5

Please let us know what cPanel support ends up saying.

In the mean-time, is there any additional information you can provide about what version of cPanel & the Let’s Encrypt plugin you’re using? Is there anything specific to your configuration that you think might be causing this? (We’re curious if this bug might be affecting other folks as well since it has the potential to cause a lot of unnecessary certificate issuance)

Thanks!


#6

I have used the “run AutoSSL mode to all users” mode of cPanel (from “Manager AutoSSL” feature). For some reason, it was configured to run each day at 1:10 on crontab (it is not my fault, because I never configured the crontab with this timing, maybe in some update of cPanel it happen).

Now I change it to run every 60 days that is preferable I guess.

Then, previous settings was:
To run at 01:10 AM every day (argh!).

10 1 * * * root /usr/local/cpanel/bin/autossl_check --all

My settings now:
To run at 05:00 AM every 60 days.

0 5 */60 * * root /usr/local/cpanel/bin/autossl_check --all


#7

Do you happen to know what version of cPanel you’re running? It would be great if we could help narrow down approximately when this might have changed & in what update.


#8

As an additional piece of information, it looks like the “too frequent renewal” problem started on 2016-10-13: https://crt.sh/?q=%.rentalhost.net.

And no worries, @rentalhost, we realize it’s probably not a bug of your creation, but possibly a bug in AutoSSL. I believe autossl_check is supposed to run nightly, but only actually issue a certificate if the old one is close to expiring (Certbot does this too). So we want to figure out why autossl_check is issuing every time.


#9

@cpu @jsha

I running cPanel from 2013-03-07 (YMD), and after that I running too all of it updates including RELEASE tier (my current update option). I think that this is happen after few days (or one or two month), because I never had this problem before. The last thing that I do was setup all my domains to be autossl’ed (but I guess that I do that 6 to 9 month ago).

My current version is WHM 62.0 (build 15), but for the crt.sh, seems that it happen before this major update (maybe 60?).

There are a WHM fixes that is described like “CPANEL-10213: Prevent AutoSSL requests for excess domains on a single certificate” (source), I really don’t know what it mean, maybe is related, because it affects 62 and 60 versions, but not 58 or lower.

I can remember too if in 2016-10-13 was when I toggled on all autossl to my domains.

The AutoSSL runs everytime because, for some reason, the crontab was setup to run all days at 01:10 AM (strange time, not?). Maybe the original settings have expected it to be run every 10 days or something like that (what is a big mistake, because to do it works we need setup cron days to */10 instead).

If you have more questions, I very happy to reply to you. And if you need more details from some log, for instance, just tell me how I get this infos to you. Thanks a lot!


#10

@rentalhost To look at a specific domain: what does the AutoSSL log say about www.ws.rentalhost.net?

Go into WHM -> Manage AutoSSL -> Logs, then find one of the AutoSSL runs, and see what it has to say about why it’s requesting a new certificate for that domain. Does cPanel think the certificate is about to expire? Does it think it fails verification? Does it think there are more domains that the certificate could accommodate?


#11

This is was really working at 01:10 AM each day.

It doesn’t given a clue for that, except by the crontab issue (that I yet fixed):

Log for the AutoSSL run for all users: Monday, February 27, 2017 1:10:01 AM GMT-0300 (Let’s Encrypt™)

1:10:01 AM This system has AutoSSL set to use “Let’s Encrypt™”.
1:10:01 AM Checking websites for “username” …
1:10:02 AM The website “subdomain.rentalhost.net”, owned by “username”, has a valid SSL certificate, but additional SSL coverage may be possible for the domains “www.mail.subdomain.rentalhost.net” and “mail.subdomain.rentalhost.net”. The system will attempt to replace this certificate with one that includes these additional domains.
1:10:03 AM WARN The domain “www.mail.subdomain.rentalhost.net” failed domain control validation: “www.mail.subdomain.rentalhost.net” does not resolve to any IPv4 addresses on the internet. at bin/autossl_check.pl line 562. (note: this sub-subdomains are a CNAME for subdomain.rentalhost.net)
1:10:03 AM The system will attempt to renew SSL certificates for the following websites:
1:10:03 AM subdomain.rentalhost.net (subdomain.rentalhost.net www,subdoman.rentalhost.net mail.subdomain.rentalhost.net)
1:10:07 AM WARN “mail.subdomain.rentalhost.net” failed its authorization because of an error: This system does not have a document root for web content for the domain “mail.subdomain.rentalhost.net”.
1:10:42 AM SUCCESS The system has installed a new certificate onto “username”’s website “domain.rentalhost.net”.

It happened all days. I guess that a new certificate to same domain/subdomain should be rejected when the current have only one day age, no?


#12

@rentalhost Sorry, just so I’m absolutely clear on what’s going on, can you please paste in the unedited log for www.ws.rentalhost.net?


#13

Right!

Raw log from 2017-02-27:

1:20:31 AM Checking websites for “rhservic” …
1:20:32 AM The website “ws.rentalhost.net”, owned by “rhservic”, has a valid SSL certificate, but additional SSL coverage may be possible for the domain “mail.ws.rentalhost.net”. The system will attempt to replace this certificate with one that includes this additional domain.
1:20:32 AM The system will attempt to renew SSL certificates for the following websites:
1:20:32 AM ws.rentalhost.net (ws.rentalhost.net www.ws.rentalhost.net mail.ws.rentalhost.net)
1:20:36 AM WARN “mail.ws.rentalhost.net” failed its authorization because of an error: This system does not have a document root for web content for the domain “mail.ws.rentalhost.net”.
1:20:38 AM SUCCESS The system has installed a new certificate onto “rhservic”’s website “ws.rentalhost.net”.
1:20:38 AM The system has completed the AutoSSL check for “rhservic”.

Raw log just now (2017-02-28):

4:44:04 PM Checking websites for “rhservic” …
4:44:05 PM The website “ws.rentalhost.net”, owned by “rhservic”, has a valid SSL certificate, but additional SSL coverage may be possible for the domain “mail.ws.rentalhost.net”. The system will attempt to replace this certificate with one that includes this additional domain.
4:44:07 PM The system will attempt to renew SSL certificates for the following websites:
4:44:07 PM ws.rentalhost.net (ws.rentalhost.net www.ws.rentalhost.net mail.ws.rentalhost.net)
4:44:10 PM WARN “mail.ws.rentalhost.net” failed its authorization because of an error: This system does not have a document root for web content for the domain “mail.ws.rentalhost.net”.
4:44:10 PM WARN (XID 7wexkc) The ACME function “https://acme-v01.api.letsencrypt.org/acme/new-cert” indicated an error: “Error creating new cert :: Too many certificates already issued for exact set of domains: ws.rentalhost.net,www.ws.rentalhost.net (The request exceeds a rate limit)” (429, “Unknown”, urn:acme:error:rateLimited).
4:44:10 PM The system has completed the AutoSSL check for “rhservic”.

Seems that it stopped to working now, maybe because I have a lot certificates issued for my domain currently (because of what happen).


#14

Until it is verified, my “olds” certificates can be revoked then I can create new ones? I need certificate two domains and I can do that because of this issue. :frowning:


#15

No. Revoking certificates does not affect the rate limits. :frowning2: The main costs are signing the certificate, and signing OCSP responses, and revoking it doesn’t undo that.


#16

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.