'Too Many Certs Issued' but no certs current in crt.sh

My “beginner’s info”:

My domain is: *.destroyernet.com

I ran this command: certbot certonly --manual --preferred-challenges=dns --email cfranz@hydraulicitsolutions.com --server https://acme-v02.api.letsencrypt.org/directory --agree-tos -d *.destroyernet.com

It produced this output: An unexpected error occurred:
There were too many requests of a given type :: Error creating new order :: too many certificates already issued for exact set of domains: *.destroyernet.com: see https://letsencrypt.org/docs/rate-limits/

My web server is (include version): Apache 2.4.6

The operating system my web server runs on is (include version): CentOS 7

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.39.0

ETA: I waited the customary week after initially getting this error but it made no difference. The last cert crt.sh shows is the one that just expired (that I was trying to renew).

Hi @cfranz

read

crt.sh doesn't show new certificates. You can use "check your website" (own tool) or the Google CT monitor to find new certificates.

Hi,

The crt.sh database is ongoing some maintenance, so certificate are not showed up correctly in this case.
You can try to use Google’s CT search tool.
https://transparencyreport.google.com/https/certificates?cert_search_auth=&cert_search_cert=&cert_search=include_subdomains:false;domain:destroyernet.com&lu=cert_search

From the below link, you can see that you’ve got 5 certificates issued the past 6 days, and the next one you can get on 2019-12-14 01:58:02 (Not sure what timezone it’s on, think it’s my local timezone)

@JuergenAuer Already done

Thank you

I see. That explains a lot. I'm curious as to why I have so many when they don't actually go to anything; I did a number of attempted renewals but got this error:

Attempting to renew cert (destroyernet.com) from /etc/letsencrypt/renewal/destroyernet.com.
conf produced an unexpected error: The manual plugin is not working; there may be problems
with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-ho
ok when using the manual plugin non-interactively.',). Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/destroyernet.com/fullchain.pem (failure)

...so I then learned that you can't do an autorenew with wildcards; you need to use the --manual certonly method you used to get the initial wildcard cert. So each of these generated a cert even though it said it failed?

That's probably not true.
Your certificate is issued on Dec 7th... Not today.

Can you check if there's any other server that have an up to date certificate?

P.S. if your DNS provider have API and any ACME client support that API, you can easily use that client to automate the issuance.

Thanks

Correct, that's when I first tried renewing the cert. I waited the requisite week to be able to reapply. I guess it's 7 days and not 5 that I have to wait.

Lit it up this afternoon. Thanks to everyone for helpiing.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.