"too many certificates already issued for exact set of domains" error, but crt.sh shows less than 20

My domain is:
www.liferayfaces.org

I ran this command:
We don’t run directly a command, but use greenlock. If we translate their API to
commands, it would be something like:
cli.js certonly --agree-tos --email <email> --webroot-path <webroot-path> --config-dir <config-dir> --domains www.liferayfaces.org --server https://acme-v01.api.letsencrypt.org/directory

It produced this output:
{ type: 'urn:acme:error:rateLimited', detail: 'Error creating new cert :: too many certificates already issued for exact set of domains: www.liferayfaces.org',

My web server is (include version):
HAProxy 1.7.9 2017/08/18

The operating system my web server runs on is (include version):
Ubuntu 17.04

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes

I’m using a control panel to manage my site (no, or provide the name and
version of the control panel):
No

My question is:
Looking at the error above, have we hit the 20 Certificates per registered domain per week limit, Duplicate Certificate limit - 5 certificates per week or some other limit?
Because, crt.sh shows 6 certificates in total issued for www.liferayfaces.org - five on 2017-09-16 and one on 2017-09-18 and this doesn’t seem to match any of these limits?
For %.liferayfaces.org there are 8 certificates in total - 6 for www.liferayfaces.org and two for httpd.liferayfaces.org
What exactly is the problem?

Thanks,

It’s the duplicate certificate limit. It’s documented to be 5, but seems to be 6 in practice. :sweat: (Like a baker’s dozen! But completely different.)

Why were so many certificates created? Are their private keys still available and usable?

As the rate limiting documentation says, if you need more certificates, you can bypass that limit by adding an additional name (e.g. liferayfaces.org).

Edit: If no one beat me to it, i filed a bug about the rate limit off-by-one issue.

3 Likes

Hey @mnordhoff,

Thanks for your answer! Why are they so many - I don’t know, will have to talk to the customer.

So the limit is 6, you say? Interesting, thanks for clarifying that!

Regards,
Iliyan

To clarify just a bit, there are two different limits regarding number of certificates. 5 (or 6) with the exact same set of domains, and 20 that include the same base domain, per week. You hit the former, which can be evaded by adding a subdomain. The latter is a more absolute limit.

4 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.