Too many certificates Sophos UTM

Dear all,

im using SOPHOS UTM intergrated Let’s Encrypt module to get certificates. Due to an DNS resolution problem on my applicance, i got the following error message:

2019:11:07-01:34:13 utmcluster-1 letsencrypt[23144]: E Renew certificate: COMMAND_FAILED: “type”: “urn:acme:error:rateLimited”,

2019:11:07-01:34:13 utmcluster-1 letsencrypt[23144]: E Renew certificate: COMMAND_FAILED: “detail”: “Error creating new cert :: too many certificates already issued for exact set of domains: mydomain.com,www.mydomain.com: see https://letsencrypt.org/docs/rate-limits/”,

2019:11:07-01:34:13 utmcluster-1 letsencrypt[23144]: E Renew certificate: COMMAND_FAILED: “status”: 429

UTM will try every single night to renew the certificate.

My certificate will be invalid in 29 days. Can i check for my domain, when the rate limit counter will be reseted? i want to avoid, that my site will stop working in 29 days.

Best regards
Alex

Hi @musiol.alexander

please read that document. You have already created new certificates.

Where are these? Use one of these.

Dear @JuergenAuer,

thanks for the response.

I the logs i can see, that the public and private key should be under /var/storage/chroot-reverseproxy/var/lib/dehydrated/cert_data/certs but i cannot find any keys for the domain

Best Regards
Alex

Please answer all of the following questions:


Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

My domain is:
corpus-sireo.com

I ran this command:
running command: /var/storage/chroot-reverseproxy/usr/dehydrated/bin/dehydrated -x -f /var/storage/chroot-reverseproxy/usr/dehydrated/conf/config -c --accept-terms --domain www.corpus-sireo.com --domain corpus-sireo.com

It produced this output:
2019:11:06-03:54:37 utmcluster-2 letsencrypt[18761]: I Renew certificate: command completed with exit code 256
2019:11:06-03:54:37 utmcluster-2 letsencrypt[18761]: E Renew certificate: COMMAND_FAILED: ERROR: Problem connecting to server (get for http://cert.int-x3.letsencrypt.org/; curl returned with 6)
2019:11:06-03:54:37 utmcluster-2 letsencrypt[18761]: E Renew certificate: COMMAND_FAILED: ERROR: Walking chain has failed, your certificate has been created and can be found at /var/storage/chroot-reverseproxy/var/lib/dehydrated/cert_data/certs/www.corpus-sireo.com/cert-1573008853.pem, the corresponding private key at privkey.pem. If you want you can manually continue on creating and linking all necessary files. If this error occurs again you should manually generate the certificate chain and place it under /var/storage/chroot-reverseproxy/var/lib/dehydrated/cert_data/chains/4f06f81d.chain (see http://cert.int-x3.letsencrypt.org/)
2019:11:06-03:54:37 utmcluster-2 letsencrypt[18761]: I Renew certificate: sending notification WARN-603
2019:11:06-03:54:37 utmcluster-2 letsencrypt[18761]: [WARN-603] Let’s Encrypt certificate renewal failed accessing Let’s Encrypt service
2019:11:06-03:54:37 utmcluster-2 letsencrypt[18761]: I Renew certificate: execution completed (CSRs renewed: 0, failed: 1)

My web server is (include version):
N/A, cert is stored on fw appliance

The operating system my web server runs on is (include version):
N/A, cert is stored on fw appliance

My hosting provider, if applicable, is:
Na

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
Sophos UTM 9.6

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
N/A

There are a lot of new Letsencrypt certificates - https://check-your-website.server-daten.de/?q=corpus-sireo.com#ct-logs

Issuer not before not after Domain names LE-Duplicate next LE
Let’s Encrypt Authority X3 2019-11-06 2020-02-04 corpus-sireo.com, www.corpus-sireo.com - 2 entries duplicate nr. 5 next Letsencrypt certificate: 2019-11-13 01:54:26
Let’s Encrypt Authority X3 2019-11-06 2020-02-04 corpus-sireo.com, www.corpus-sireo.com - 2 entries duplicate nr. 4
Let’s Encrypt Authority X3 2019-11-06 2020-02-04 corpus-sireo.com, www.corpus-sireo.com - 2 entries duplicate nr. 3
Let’s Encrypt Authority X3 2019-11-06 2020-02-04 corpus-sireo.com, www.corpus-sireo.com - 2 entries duplicate nr. 2
Let’s Encrypt Authority X3 2019-11-06 2020-02-04 corpus-sireo.com, www.corpus-sireo.com - 2 entries duplicate nr. 1
Let’s Encrypt Authority X3 2019-09-07 2019-12-06 corpus-sireo.com, www.corpus-sireo.com - 2 entries

So if /var/storage/chroot-reverseproxy/var/lib/dehydrated/cert_data/certs/www.corpus-sireo.com/cert-1573008853.pem doesn’t exist, your installation looks corrupt.

Certificate creation has worked. So it’s only an installation problem. But if you have deleted these certificates, you may have to wait. Read

Thanks Jürgen, then im going to wait, till the rate limit will reset in the netx 7 days :wink:

Best Regards
Alex