Unable to renew cert (too many certificates already issued for exact set of domains)

Since few weeks, i can’t renew few of my certs who have the same domain.
I have this message: “There were too many requests of a given type :: Error creating new cert :: too many certificates already issued for exact set of domains”.
And when i check one of this, i see a lot of certs:

How can i fix this ?

Hi @baptiste,

You didn’t give too much info but seems the renews follow a pattern (once on Tuesday, twice on Wednesday, twice on Thursday and once on Saturday) and so on… you shoud check if you have a task, cronjob, etc. in your server and review what the automated command does because it is not checking whether the certs need to be renewed, it is renewing them always.

Good luck,

Hi @sahsanu,
Thanks for your reply. Indeed, I have a crontab every monday who try to renew all certs who gonna expires.
I just came to disable this cron. When i will be able to renew my certs ?
Wich info do you need ?
Have a nice day.

You're demonstrably creating certificates twice a day, though, not just on Mondays.

It's actually recommended to check twice a day, not once a week, but only to check twice a day, not to create unnecessary certificates.

Please fill in the rest of the help information.

Please fill out the fields below so we can help you better.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

1 Like

None of the certs you are showing in the screenshot have been renewed on Monday so, are you sure this is the only cron job running in your server? If it is, are you sure it is running only every Monday?.

You should already have your certs renewed. I don't know if the certificates showed in the screenshot are for the same subset of domains but next Tuesday seems a good date to be able to renew them.


In my crontab i have:
0 0 * * 1 /scripts/renewCerts.sh >/dev/null 2> /var/log/cron.error.log
My script renew and send an email with the output of the script.
I use certbot, it’s can be him who try to renew ?

What does /scripts/renewCerts.sh do


Have you ensured that no other cron jobs or systemd timers exist?

And the other information requested?

renewCerts.sh doing this:
if [ -f $tmpFile ]; then
rm $tmpFile
certbot renew --post-hook “/usr/sbin/service nginx reload” > tmpFile 2>&1 sed -i 's//
/’ tmpFile tmpContent=(cat tmpFile) renewed=(cat tmpFile | sed '1,/:/d' | sed ' d’ | sed ‘s/^[ \t]//;s/[ \t]$//’)
/usr/sbin/sendmail -F “letsencrypt@$HOSTNAME” -f “LetsEncrypt” -t “who@host.ext” << EOM
Subject: [LETSENCRYPT] Renouvellement des certificats
Content-type: text/html; charset=utf-8

<h1>Résumé :</h1>
<h1>Détails :</h1>

if [ -f $tmpFile ]; then
        rm $tmpFile

I dont know wich jobs or systemd can try to renew.

Two days ago, i have disable renewCerts.sh in my crontab, but…
Have a nice day

More information about one of this ID:

So you definitely must have something else trying to get these certificates. It’s interesting to see that the issuance events happen at about two different times of day, around 23:00 or 10:00 UTC. (The certificate notBefore date will be set to one hour prior to the true issuance time to reduce problems for clients that have their time set incorrectly.)

What kind of software runs on this machine? Are you using any sort software like Caddy or cPanel that might include its own certifical-renewal code?

I haven’t any pannel, i use certbot standalone, nginx and crontab for automatization.
Can i see who try to renew ? By IP or by any other information ?

@cpu, do you think we can give out any more information about that?

By the way, they actually succeed when they try, so they must have a considerable level of control over your domain name. :slight_smile:

I’m hesitant to give out specifics like IP addresses or email addresses. I can say the following:

  1. it seems to always be the same UA, Certbot 0.10.2, requesting a new-cert for the www.web01.pixelads.fr domain (and other pixellads.fr domains)
  2. it’s always the same ACME account, even for the requests hitting the rate limit (I assume some of those must be the OP). The account email is something at the base domain being requested.
  3. the requests all come from the same IPv6 address

I’m not sure how to suggest @baptiste finds this certbot installation. It certainly seems like there is one that is going off-the-rails.

Thanks, that seems like useful information.

How many time i must wait to can renew my certs ?
If i remove certbot from my server during one week, i gonna haven’t any renew ? Can i keep my certs ?
This solution is the last one :slight_smile:
Thanks for all

Maybe you can look in /var/log/letsencrypt to see if you have evidence that Certbot is somehow still being run on this system? Every time it runs, it should create a new log file there.

After verification, since i have remove certbot from my server, i haven’t any renew.
How many time i must wait before i can renew ?

up, exactly same issue here :frowning:

@baptiste, according to my calculations, you should be able to renew already. Of course, it would be great to understand why the previous unintended renewals were happening and where those certificates were going.