Too many certificates already issued

I tried to renew my certificate for castcollective.com but it never worked. So I removed it and am trying to reinstall it. However, I am getting the error message that too many certificates have been issued. I have 2 other domains: teamdynamicsboston.com and fitlab.de which are using a certificate.

Do I have to wait a certain time until I can request it?

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: castcollective.com

I ran this command: /opt/letsencrypt/letsencrypt-auto certonly --debug --webroot -w /var/www/html/castcollective -d castcollective.com -d www.castcollective.com --config /etc/letsencrypt/config.ini --agree-tos

It produced this output:

Requesting a certificate for castcollective.com and www.castcollective.com
Exiting abnormally:
Traceback (most recent call last):
  File "/opt/eff.org/certbot/venv/bin/letsencrypt", line 11, in <module>
    sys.exit(main())
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py", line 15, in main
    return internal_main.main(cli_args)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/_internal/main.py", line 1412, in main
    return config.func(config, plugins)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/_internal/main.py", line 1293, in certonly
    lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/_internal/main.py", line 134, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/_internal/client.py", line 441, in obtain_and_enroll_certificate
    cert, chain, key, _ = self.obtain_certificate(domains)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/_internal/client.py", line 374, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/_internal/client.py", line 406, in _get_order_and_authorizations
    orderr = self.acme.new_order(csr_pem)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/acme/client.py", line 886, in new_order
    return self.client.new_order(csr_pem)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/acme/client.py", line 668, in new_order
    response = self._post(self.directory['newOrder'], order)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/acme/client.py", line 97, in _post
    return self.net.post(*args, **kwargs)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/acme/client.py", line 1201, in post
    return self._post_once(*args, **kwargs)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/acme/client.py", line 1214, in _post_once
    response = self._check_response(response, content_type=content_type)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/acme/client.py", line 1072, in _check_response
    raise messages.Error.from_json(jobj)
Error: urn:ietf:params:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new order :: too many certificates already issued for exact set of domains: castcollective.com,www.castcollective.com: see https://letsencrypt.org/docs/rate-limits/
Please see the logfiles in /var/log/letsencrypt for more details.

My web server is (include version):
Server version: Apache/2.4.46 (Amazon)
Server built: Aug 24 2020 18:40:26

The operating system my web server runs on is (include version):

NAME="Amazon Linux AMI"
VERSION="2018.03"
ID="amzn"
ID_LIKE="rhel fedora"
VERSION_ID="2018.03"
PRETTY_NAME="Amazon Linux AMI 2018.03"
ANSI_COLOR="0;33"
CPE_NAME="cpe:/o:amazon:linux:2018.03:ga"
HOME_URL="http://aws.amazon.com/amazon-linux-ami/"

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot version: 1.10.1

1 Like

Hi @DieterReuther

that's wrong. Your error message says: It has worked, you have created a lot of new certificates (more then one).

Use one of these 60 - 85 days, then create one new certificate, not a lot.

2 Likes

Hello @DieterReuther,

As @JuergenAuer said, you have no problem to issue certificates, indeed you are issuing one every day till you hit the rate limit of 5 certificates covering the same set of domains per 7 days and you can't issue the certificate because of the rate limit and then, after 3 days the rate limit let you issue a new certificate and you start again.

That seems because you have some problem in your /etc/letsencrypt/ dir, certbot doesn't know you have a new certificate because maybe you have the wrong links inside /etc/letsencrypt/live/castcollective.com. Did you modify any dir or file/link inside /etc/letsencrypt/?

Show the ouput of these commands:

sudo /opt/letsencrypt/letsencrypt-auto certificates

sudo ls -la /etc/letsencrypt/live/castcollective.com

sudo ls -lrt /etc/letsencrypt/archive/castcollective.com

Cheers,
sahsanu

2 Likes

PS: Additional: You use certonly. Webserver restarted?

That's always required (if the links are ok).

2 Likes

@sahsanu
There are no files in the letsencrypt folders for castcollective.com. I deleted everything because I was not able to renew it manually. That's also why I wanted to reinstall it.

@JuergenAuer I can't restart the web server:
sudo apachectl stop
AH00526: Syntax error on line 419 of /etc/httpd/conf/httpd.conf:
SSLCertificateFile: file '/etc/letsencrypt/live/castcollective.com/fullchain.pem' does not exist or is empty

I guess the certificates have been issued but are not being downloaded. I assumed a fresh install would fix things but it fails with the error: Error creating new order :: too many certificates already issued for exact set of domains: castcollective.com,www.castcollective.com: see https://letsencrypt.org/docs/rate-limits/

Can I manually download the certificates?

1 Like

If you got a backup before there is no problem if you didn't backup then that was a bad decision because I'm pretty sure all the certs and keys for your domain were there in archive directory.

Yes you can but only the certificate, not the private key so you won't solve your problem.

So, as you have reached the limit of 5 certificates per same set of domains per 7 days you have at least 3 options:

1.- Wait until Tue Jan 19 13:00:00 UTC 2021 and then you could issue a new certificate covering your two domains.

2.- Add a new domain to your cert, like blog.castcollective.com or dev.castcollective.com or whathever so the new cert will cover your 2 current domains and a new one so it won't hit the rate limit and you could get the certificate right now.

3.- Issue a new certificate covering only castcollective.com and another one covering only www.castcollective.com and you could get your certificates right now.

As you have deleted the certificates and your Apache conf is pointing to them you should fix that before trying to issue a new cert.

2 Likes

Thank you for all the help. I will wait until tomorrow before I try to issue a new certificate. Hopefully that works.

2 Likes

@sahsanu @JuergenAuer Update: I installed the certificate again and everything worked fine. The renewal command also correctly reports that nothing needs to be renewed instead of giving me an error message. Not sure why the certificate caused all the trouble before.

Thank you both for your help!

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.