Too many certificates already issued

Tommyboy · December 9, 2015, 5:43pm

I took 4 certificates for sub domains in the same domain.
1:mydomain.com
2:www.mydomain.com
3:opensource.mydomain.com
4:mail.mydomain.com

I could renew certificates of mydomain.com, www.mydomain.com and opensource.mydomain.com but when I tried to renew certificate of mail.mydomain.com, it showed the following error.

An unexpected error occurred:
There were too many requests of a given type :: Error creating new cert :: Too many certificates already issued for: mydomain.com
Please see the logfiles in /var/log/letsencrypt for more details.

I need mail.mydomain.com certificate so I tried to renew mail.mydomain.com certificate after I revoked opensource.mydomain.com certificate but it shows the same error message again.

What should I do to renew mail.mydomain.com certificate?

Osiris · December 9, 2015, 5:46pm

There are rate limits in effect, including the amount of certificates issued per domain per time slot. Guess you’ll have to wait.

But you do know you can add multiple (sub)domains to a single certificate?

ametad · December 10, 2015, 9:46am

Hello,
I also have this rate limit problem. Osiris thank you for mentioning something that could help... but I am not sure how. could you elaborate on your hint?

If I understand correctly one can give multiple domain names as argument to the CLI client of Letsencrypt like so:

./letsencrypt-auto -d domain.com -d sub.domain.com

Is this how SAN certificates are created? If that is the case I am still wondering why I get the same error:

There were too many requests of a given type :: Error creating new cert :: Too many certificates already issued for:

Osiris · December 10, 2015, 9:52am

Yes, you're correct: by using multiple -d switches, you'll get one certificate with multiple domains. I believe the first -d switch will be the CommonName (CN) domain. And all domains are added to the SAN list. But even so, if you've hit the rate limit, that limit doesn't suddenly vanish

Perhaps you can experiment first by using the --server https://acme-staging.api.letsencrypt.org/directory option. That way you can try the client and receive certificates (which won't work online, 'cause they'll be signed by some "Happy hacker" CA in stead of Let's Encrypt Intermediate X1) and the staging server doesn't have such strict rate limits.

ametad · December 10, 2015, 10:04am

Well I am a happy developer right now Thank you for the reply!

The one certificate you mention, for the multiple domains… how is this reflected in the directory structure here: /etc/letsencrypt/ if you might know?

The reason I ask is; I have issued cert(s) from Letsencrypt with multiple “-d domain.com” arguments and I see a directory for every (sub)domain with a corresponding certificate file.

But perhaps my first steps where:
./letsencrypt-auto -d domain.com
./letsencrypt-auto -d sub.domain.com

And after that I tried:
./letsencrypt-auto -d domain.com -d sub.domain.com

kelunik · December 10, 2015, 10:10am

Revocation doesn’t affect the rate limit and doesn’t give you new certificates to issue. You’ll have to wait 7 days (currently 5 certificates / 7 days).

Tommyboy · December 10, 2015, 3:52pm

Thank you for reply, all three of you!
I did not know that there are rate limits, I can add multiple sub-domain to one domain and the revocation can not remove the rate limit.
I tried “./letsencrypt-auto certonly --renew-by-default --standalone -d www.mydomain.com -d mydomain.com -d mail.mydomain.com --debug” but it shows the same error… looks like I have still the rate limit.
Maybe I have to wait for a week…
Am I able to recreate revoked certificate?

Zoddo · December 10, 2015, 7:56pm

No, revocation doesn't reset limits.

rdev5 · December 12, 2015, 3:15pm

This is a bit problematic because koding.io right now is blocked:

Error creating new cert :: Too many certificates already issued for: koding.io

So pretty much no one using koding.io at the moment is able to create new a certificate until this lets up, even though none of us actually “own” koding.io but are restricted to our subdomains (i.e. user54321.koding.io).

jhass · December 12, 2015, 3:16pm

You have to ask the owner of koding.io to add it to the public suffix list.

webperf · December 15, 2015, 8:09pm

Is there an ETA when this limit will be increased?

hanscees · December 18, 2015, 7:13pm

Yes please give us more certificates per day. I am writing an howto for hiawatha server as reverse proxy and alas after testing 5 times hit the limit.
I had just deleted the /etc/letsencrypt/renewal and live dir because I had errors and BAM hit the limit.

jhass · December 18, 2015, 7:21pm

hanscees · December 18, 2015, 7:32pm

Hi, wish I had know you had such and environment. I copied the code from some website on hiawatha.

Perhaps you could echo
"please be advised to use our testing servers if you are testing to use this server xxxx"

when the script is run:
./letsencrypt-auto certonly -a webroot --webroot-path $WEBROOT -d $i --server https://acme-v01.api.letsencrypt.org/directory

??

I just didn’t know.

Osiris · December 18, 2015, 9:14pm

And in some countries the manual of the microwave warns the user you shouldn’t put your cat in the microwave in order to dry it… And expect it to live afterwards…

cyball · March 12, 2016, 10:50pm

Hi,

I have the same issue but the point in my case is … I have one domain distributed over multiple ip’s/location’s how can i handle that the best way?

Thx
BR cyball

serverco · March 13, 2016, 7:07am

If you can change your DNS through an API, then you can use the DNS challenge ( as that just uses DNS and doesn’t need to do anything on each server). Alternatively use getssl which is a bash script written for automating certs on remote servers ( as long as you have SSH access to the various remote servers using keys ) getssl will also perform the DNS challenge method if you wanted to do it that way.

kelunik · March 13, 2016, 4:23pm

You can redirect all traffic to /.well-known/acme-challenge/* to a host having only a single IP that handles your issuance.

cyball · March 14, 2016, 4:06pm

@serverco, @kelunik,

thx for the info the getssl solution seems very good, I will give it a try

BR cyball

BlitzkriegSoftware · March 29, 2017, 11:11pm

I have what I assume will be a common use case. I have VMs in Azure that I am attempting to make certs for, when the rate limit is calculated it apparently uses the top level domain e.g. Azure.com, and not my sub-domain of the machines in my subscription. IMHO this is a bug…

Submit-ACMECertificate : Error creating new cert :: Too many certificates already issued for: azure.com
At line:1 char:2
+  Submit-ACMECertificate cert01
+  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ResourceBusy: (ACMESharp.Vault.Model.CertificateInfo:CertificateInfo) [Submit-ACMECertif
   icate], AcmeWebException
    + FullyQualifiedErrorId : urn:acme:error:rateLimited (429),ACMESharp.POSH.SubmitCertificate

Is there a work-around for this use case? I assume this will happen in AWS and GOOGLE clouds too.

Topic		Replies	Views
Too many certificates (5) already issued for this exact set of domains in the last 168 hours Help	5	1412	September 24, 2022
Too many certificates already issued for: MyDomain.com Help	2	1917	December 4, 2016
Too many Certs already issued Help	4	2480	January 17, 2017
Renew certificate with expanding domains	33	12451	November 9, 2016
Too many cert for my domain	2	2286	December 7, 2015

Too many certificates already issued

Related topics