"Too many certificates" using caddy and docker


#1

Hi,
I am running caddy as a reverse proxy using docker (https://hub.docker.com/r/zzrot/alpine-caddy/). As it is my first time using caddy and I am not a docker expert, I destroied and created the container several times, so new certificates were created each time. Now, I make volumes in order to store the certificate keys in the host to avoid creating new ones each time, but it’s too late. I get the error “too many certificates already issued for exact set of domains: jenkins.dirtydevelopers.org”. I tried to searh in the documentatin but I didn’t find how to solve it.
Do you know ho can I delete those certificates to have the possibility to create new ones?

Thanks


#2

Hi,

In this case, you hit rate limit for this week. Please try again in next week (7 days)

The main limit is Certificates per Registered Domain, (20 per week). A registered domain is, generally speaking, the part of the domain you purchased from your domain name registrar. For instance, in the name www.example.com, the registered domain is example.com. In new.blog.example.co.uk, the registered domain is example.co.uk. We use the Public Suffix List to calculate the registered domain.

Thank you


#3

It sounds like the rate limit you hit is rather this one:

We also have a Duplicate Certificate limit of 5 certificates per week. A certificate is considered a duplicate of an earlier certificate if they contain the exact same set of hostnames, ignoring capitalization and ordering of hostnames. For instance, if you requested a certificate for the names [www.example.com, example.com], you could request four more certificates for [www.example.com, example.com] during the week. If you changed the set of names by adding [blog.example.com], you would be able to request additional certificates.

So as a workaround you could add an additional subdomain to the certificate if you need to get a new certificate without waiting 7 days.


#4

Unfortunately it is not possible to take advantage of the SAN workaround with Caddy. :frowning:

Since you appear to be standing up a new service and not migrating an existing one to HTTPS, if you don’t want to wait a week or switch away from Caddy you could use a different subdomain like ci.dirtydevelopers.org instead.

P.S. if you know you’re going to have to redo things a couple times it’s a good idea to use the staging server. It doesn’t give you real certificates so you’ll have to bypass certificate warnings during testing but it has it’s own, much higher, rate limits so you can test things without worries.

caddy -ca https://acme-staging.api.letsencrypt.org/directory

or add this to your Caddyfile:

tls <email> {
  ca https://acme-staging.api.letsencrypt.org/directory
}

#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.