Too many certificates already issued for exact set of domains


#1

Hi There,

So, I have been using letsencrypt for my web/email server for a couple of years now, and it has been working fine until the 2nd Feb, when my certificate expired, and I tried to manually renew it. I got the following error:

An unexpected error occurred:
There were too many requests of a given type :: Error finalizing order :: too many certificates already issued for exact set of domains: ardeus-technology.co.uk,autoconfig.ardeus-technology.co.uk,cloud.ardeus-technology.co.uk,mail.ardeus-technology.co.uk: see https://letsencrypt.org/docs/rate-limits/

Renewals are handled automatically in cron.daily with the following script:

/root/letsencrypt/letsencrypt-auto renew -q -c /etc/letsencrypt/cli.conf
–pre-hook=“find /etc/letsencrypt/prerenew/ -maxdepth 1 -type f -executable -exec {} ;”
–post-hook=“find /etc/letsencrypt/postrenew/ -maxdepth 1 -type f -executable -exec {} ;”

This has worked just fine. Looking at https://crt.sh/?q=ardeus-technology.co.uk I can see that it was working as intended, with certificates being renewed every 2 months, until the 4th of January 2019. From there on it seems to have generated a new certificate every single day, up until it hit the weekly limits.

So, I have disabled the crontab for now, and will re-run the renewal manually in a weeks time (unless there is a way to do a one-shot renewal now?) , however I made no changes to the server on new years, so I am a bit confused as to why on the 4th Jan it would start behaving differently. I would like to put this back into cron, so it would be nice to find out where things went wrong.

Any help appreciated, let me know if more information is needed. Requested info so far:

My domain is:
ardeus-technology.co.uk

I ran this command:

/root/letsencrypt/certbot-auto certonly -d ardeus-technology.co.uk,autoconfig.ardeus-technology.co.uk,cloud.ardeus-technology.co.uk,mail.ardeus-technology.co.uk

(When I tried manual renewal)

It produced this output:
An unexpected error occurred:
There were too many requests of a given type :: Error finalizing order :: too many certificates already issued for exact set of domains: ardeus-technology.co.uk,autoconfig.ardeus-technology.co.uk,cloud.ardeus-technology.co.uk,mail.ardeus-technology.co.uk: see https://letsencrypt.org/docs/rate-limits/

My web server is (include version):
Server version: Apache/2.4.10 (Debian)
Server built: Jan 29 2019 18:30:53

The operating system my web server runs on is (include version):
Debian GNU Linux 8

My hosting provider, if applicable, is:
N/A

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 0.30.2


#2

That shouldn’t produce so many certs each day: https://crt.sh/?q=ardeus-technology.co.uk

So what do all the automated jobs look like?
Perhaps in cron:
sudo crontab -l

or systemd:
systemctl list-timers --all
cat /lib/systemd/system/certbot.service

What does certbot certificates show?


#3

I agree it should not, but it seems to be doing so. Here are the details you asked for:

~#sudo crontab -l
@weekly /usr/sbin/logwatch

~# systemctl list-timers --all
NEXT                         LEFT     LAST                         PASSED UNIT                         ACTIVATES
Wed 2019-02-06 07:57:35 UTC  16h left Tue 2019-02-05 07:57:35 UTC  7h ago systemd-tmpfiles-clean.timer systemd-tmpfiles-clean.service
n/a                          n/a      n/a                          n/a    systemd-readahead-done.timer systemd-readahead-done.service

2 timers listed.

~#cat /lib/systemd/system/certbot.service
cat: /lib/systemd/system/certbot.service: No such file or directory

~# /root/letsencrypt/certbot-auto certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: ardeus-technology.co.uk
    Domains: ardeus-technology.co.uk
    Expiry Date: 2019-02-02 09:24:05+00:00 (INVALID: EXPIRED)
    Certificate Path: /etc/letsencrypt/live/ardeus-technology.co.uk/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/ardeus-technology.co.uk/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

There are no other automated jobs related to letsencrypt apart from the cron entry, and now that has been removed as well in order to allow the limit counters to reset and for me to renew.


#4

OK something has “damaged” its’ “thinking”.
It sees the cert is expired, attempts to renew it.
Gets a new cert.
But fails to save it / update the existing one.
[cycle repeats daily]

I think you may need to (as root)
sudo /root/letsencrypt/certbot-auto delete --cert-name ardeus-technology.co.uk

then get a completely new one.


#5

ok, I am willing to try that. However if I delete the certificate, can I get a new one straight away, or do I have to wait for the limit period to end?

As things stand, with the expired cert things are partially broken, however if I delete the cert the server won’t work at all (as it is pure SSL, has no unencrypted fallback) until I get a new one.


#6

This can happen when people try to rename things in /etc/letsencrypt, especially changing the target of the symlinks in /etc/letsencrypt/live.


#7

You would still have to wait for the limit to end, unless you can add or remove any name (so that it won’t be the “exact set of domains”).


#8

Thanks, I hadn’t considered the literal implication of “exact set”. I dropped out the cloud subdomain, as I will most likely move that to a new server with more storage, and re-created the domains.

Happy to say I got a new cert and the server is working properly again, thanks to both of you for your help :slight_smile:

I will try to renew the cert tomorrow, and then check to see if it works as intended, or whether a new cert is generated again.


#9

This is good news.

Please show
certbot certificates

You should try the –dry-run test to ensure it can renew using http.


#10

I can confirm it does the right thing now, attempts to renew the cert come with “Cert not yet due for renewal” message.

Testing renewal with dry run resulted in success as well. And the output of “certbot certficates shows”:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
 Certificate Name: ardeus-technology.co.uk
   Domains: ardeus-technology.co.uk autoconfig.ardeus-technology.co.uk mail.ardeus-technology.co.uk
   Expiry Date: 2019-05-06 17:58:54+00:00 (VALID: 85 days)
   Certificate Path: /etc/letsencrypt/live/ardeus-technology.co.uk/fullchain.pem
   Private Key Path: /etc/letsencrypt/live/ardeus-technology.co.uk/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

So its all good now :slight_smile: