Too many certificates already issued for exact set of domains -> but it renewed anyway


#1

This error comes up a bit when I search startpage for others who already experienced this:

Attempting to renew cert (xxxxxx.com-0001) from /etc/letsencrypt/renewal/xxxxxx.com-0001.conf produced > an unexpected error: urn:acme:error:rateLimited :: There were too many requests of a given type :: Error
creating new cert :: too many certificates already issued for exact set of domains: xxxxxx. Skipping.

When I head to the site and view the certificate in my browser, it was renewed TODAY. Except, the CN name is for the default site of the server (first alphabetically).

I used certbot to generate all of these SSL certs and I use it on multiple servers (both Ubuntu and CentOS), yet this appears to be the only server with this strange behavior.

When i view /etc/letsencrypt/live/ - for the directory with the affected domain, I now have two directories; one the old cert, another with the new cert; which is named xxxx.com-0001 – I am not sure when this appeared; perhaps last renewal? But judging by the renewal log above it was around before today.

A different domain (but same server) renewed at the same time today and its CN is accurate.

Is anyone familiar with what could be causing this?


#2

Hi @cryptkeeper,

The successful renewal but duplicative certificate lineage is likely due to rerunning Certbot with a very slightly different list of names. Or perhaps that happened some time ago but the recent success was due to finally getting past the rate limit period.

You can find out more about your situation by running

certbot certificates

and looking at the list of historic issuance for your domain on

https://crt.sh/

Often the underlying error about “too many certificates already issued for exact set of domains” comes about by mistakenly specifying --force-renewal (previously confusingly called --renew-by-default, which I think was my fault) in a renewal command line or in a cli.ini file.


#3

Hey thanks for the speedy reply!

Since my last post (before I seen yours) I deleted the /etc/letsencrypt/live/xx.com directories for the two affected domains.
Then ran certbot -d xxxxx.com to regenerate and it was successful; the CN name for both domains is accurate now.

Though I suspect come next renewal time, this issue may resurface.
certbot certificates
yields:

Renewal configuration file /etc/letsencrypt/renewal/xxxxsite1.com.conf produced an unexpected error:
expected /etc/letsencrypt/live/xxxxsite1.com/cert.pem to be a symlink. Skipping.
Renewal configuration file /etc/letsencrypt/renewal/xxxxsite2.com.conf produced an unexpected error:
expected /etc/letsencrypt/live/xxxxsite2.com/cert.pem to be a symlink. Skipping.
Renewal configuration file /etc/letsencrypt/renewal/xxxxsite2.com-0001.conf produced an unexpected
error: expected /etc/letsencrypt/live/xxxxxsite2.com-0001/cert.pem to be a symlink. Skipping.

The following renewal configuration files were invalid:
/etc/letsencrypt/renewal/lxx.com.conf
/etc/letsencrypt/renewal/xx.com.conf
/etc/letsencrypt/renewal/xx.com-0001.conf

What do you suggest to clear any prior misconfigs?


#4

You shouldn’t delete the live directory without also deleting the corresponding archive directory and corresponding renewal/example.com.conffile. Normally you can use certbot delete, which will do all of this for you, instead of deleting these items yourself.


#5

Shoot, I wasn’t aware of that command!

Thank you; will keep this bookmarked for if this occurs again. Thanks for your help.


#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.