Too Many Request Error but didn't create any certs?

Ari-K · April 8, 2019, 8:57pm

Hi
this is my error:

Requesting new certificate order…
new-order error: HTTP/1.1 100 Continue
Expires: Mon, 08 Apr 2019 20:40:26 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache

HTTP/1.1 429 Too Many Requests
Server: nginx
Content-Type: application/problem+json
Content-Length: 266
Boulder-Requester: 44558126
Link: ;rel=“index”
Replay-Nonce: IrCBgMqLuJc_SJwRbbtXWfbIsiVyP_t01fOcBT9IpCM
Expires: Mon, 08 Apr 2019 20:40:26 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 08 Apr 2019 20:40:26 GMT
Connection: close

{
“type”: “urn:ietf:params:acme:error:rateLimited”,
“detail”: “Error creating new order :: too many certificates already issued for exact set of domains: dinapolilevels.com,www.dinapolilevels.com: see https://letsencrypt.org/docs/rate-limits/”,
“status”: 429
}. Exiting…

but according to https://crt.sh/?q=dinapolilevels.com I didn’t issue any today so why I can’t create a new one ?

If there are too many existing how can I get the private key ?
I would really appreciate help.
Thanks
Ari

cpu · April 8, 2019, 9:00pm

Hi @Ari-k, welcome to the community forum

It's not obvious but you need to update your crt.sh query to use a %. wildcard prefix. E.g. %.dinapolilevels.com.

Doing that will show five identical certificates issued on 2019-04-07 in the crt.sh output. That matches the duplicate certificate rate limit and the error message you received.

Do you know how those certificates were created?

Ari-K · April 8, 2019, 9:05pm

Yesterday 2019-04-07 I was canceling Webflow.com hosting which was with a certificate. When I was done and moved to new hosting zenbox.pl I tried to issue the certificate through them but I was getting the same error back.
I have an option to manually add SSL but I can’t access the existing certifications nor can I create a new one. I’m in a loop

What can I do ?
Can I prove that I own the domain and get access to those existing somehow? or revoke/ delete them and issue a new one ?

schoen · April 8, 2019, 9:15pm

Nope, Let's Encrypt doesn't ever possess users' private keys—they exist only on your own server. If you don't have appropriate access to the server or if the private key has been deleted, there's no way that we can get you access to the private key.

Also, as our rate limits page explains,

Revoking certificates does not reset rate limits, because the resources used to issue those certificates have already been consumed.

You'll need to wait a week, or issue a certificate containing a different combination of names, or request a certificate from a different CA.

Ari-K · April 8, 2019, 9:49pm

how can I do that?

what other CA have a free cert I can use for a week while waiting ?

schoen · April 8, 2019, 9:54pm

You could add an extra subdomain like example.dinapolilevels.com; in that case this rate limit wouldn't prevent the issuance of the certificate for all three names.

I've never used it, but I know Buypass Go SSL is a free publicly-trusted certificate provider that's compatible with the ACME protocol that Let's Encrypt uses.

Ari-K · April 8, 2019, 11:06pm

Thank you for the idea of using another CA. In the end I used cloudflare.com and their shared SSL that comes with a free plan. Website https://dinapolilevels.com/ is secure again

mnordhoff · April 8, 2019, 11:17pm

You also need a valid certificate on your origin server to secure the connection between Cloudflare’s CDN servers and the origin.

For that, you can use Let’s Encrypt (returning to the original problem), another CA, or Cloudflare’s Origin CA.

Without a valid certificate on the origin, and the SSL setting in Cloudflare’s dashboard set to “Full (strict)”, the website isn’t fully secure.

system · May 10, 2019, 9:36am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.