Too many certificates issued


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
ondemand.com

I ran this command:
certbot certonly --manual --preferred-challenges dns-01 -d apm.ondemand.com -d ro1-apm.ondemand.com -d ro1-mon.ondemand.com -d ro1-003.apm.ondemand.com --server https://acme-v02.api.letsencrypt.org/directory
I have used this before to create valid certificates, however this error suggests that there are too many certificate requests or certs created, which seems not true. I tried over the course of multiple weeks to check if I really run into rate-limits.
I also tried to verify via crt.sh, which doesn’t list any certificates for ondemand.com.

It produced this output:
An unexpected error occurred:
There were too many requests of a given type :: Error finalizing order :: too many certificates already issued for: ondemand.com: see https://letsencrypt.org/docs/rate-limits/

My web server is (include version):
using certonly

The operating system my web server runs on is (include version):
Debian 8

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

Thanks,
Reinhard


#2

Hi @reinhard-brandstaedt,

The rate limit problem here is certificates for subdomains of ondemand.com:

https://crt.sh/?Identity=%.ondemand.com&iCAID=16418

It looks like certificates for subdomains containing a new hash or key value are being created automatically with some frequency. Is there any way to do this less often, create them under a different domain, combine several of these into one certificate, or otherwise reduce the frequency of this process?


#3

Hi @schoen,

thanks! I didn’t know that one can query subdomains that way!
That makes a lot of sense, it seems that someone else in our organisation is messing with cert creation! I will track that down.
Thanks a lot!