Too many certificates already issued for exact set of domains

While working on a helm continuous integration workflow for EKS, I accidentally provisioned too many certificates when testing fresh installs + upgrades as I was deleting namespaces before doing fresh installs. I’m now getting the error:

Failed to create Order: acme: urn:ietf:params:acme:error:rateLimited: Error creating new order :: too many certificates already issued for exact set of domains: api.stage.imagine-impact.com: see https://letsencrypt.org/docs/rate-limits/

When I check the rate limits though on https://crt.sh/?q=.imagine-impact.com my 7 day issuance count is only at 34, so it’s not clear why I’m seeing this.

Using Alpine 3.10, Helm 3.0.2, jetstack/cert-manager .12.0

1 Like

It's a different rate limit - 5 per week for an exact duplicate set of domains:

Renewals are treated specially: they don’t count against your Certificates per Registered Domain limit, but they are subject to a Duplicate Certificate limit of 5 per week. Note: renewals used to count against your Certificate per Registered Domain limit until March 2019, but they don’t anymore.

A certificate is considered a renewal (or a duplicate) of an earlier certificate if it contains the exact same set of hostnames, ignoring capitalization and ordering of hostnames. For instance, if you requested a certificate for the names [ www.example.com , example.com ], you could request four more certificates for [ www.example.com , example.com ] during the week. If you changed the set of hostnames by adding [ blog.example.com ], you would be able to request additional certificates.

Since the private keys for your duplicate certificates are destroyed, your choices are either to wait ~32 hours or issue a certificate with a different set of domains.

Edit: you can more clearly see the duplicate certificate rate limit in effect here: Let's Debug Toolkit

3 Likes

Thank you that’s really helpful. It looks like as a stop-gap measure I can simply swap out “stage” for “staging” as to get around the 5/5 limit while still being under the limit quota

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.