Unable to renew (thanks to rate limit?)


#1

A ~1,5 weeks ago I started to notice that for some reason win-acme client is unable to renew the certificates. Back then the logging was not verbose enough, so I don’t know what was the initial issue, but at the moment I’m getting the code:429.

According to crt.sh (https://crt.sh/?q=%.gallup.ee), Task Scheduler has been trying daily to get the update through. Servers Event Log confirms that.

Turning up the verbosity reveals this:
Error creating new cert :: too many certificates already issued for exact set of domains

What I don’t understand is what kind of limit am I hitting? And why?
Is it the duplicate limit? Shouldn’t the renewals be completed no matter what?


#2

This looks really bad. You hit the

Duplicate Certificate limit of 5 certificates per week

But:

https://crt.sh/?id=477501939 is a pre-certificate
https://crt.sh/?id=477501762 is a correct leaf certificate.

So you should have a correct certificate for live.gallup.ee - you can use it and ignore the limit.

Same with https://crt.sh/?id=477502468 for online.gallup.ee

Why starts the tool daily new renews? Looks like the tool is broken.


#3

It’s how the win-acme is configured by default. It starts daily but you can set a threshold - if current certificate is newer then the update is skipped. That way it’s safe to run it daily as the update happens only when it’s necessary.

As it was unable to complete the update, it tried to do it every day and eventually crossed the limit.

Sadly, the server still has the certificate from this request - https://crt.sh/?id=367674962

Does it mean that if I’ll let it mellow for a week, everything goes back to normal?


#4

I don’t think so. It looks that the tool is broken. Letsencrypt finishes the certificate-order.

But every tool must download the certificate, bind it to the private key.

In Windows, the certificate must be saved under “Webhosting” (Machine Certificate Store). Then the binding-element of the website has to change.

It’s possible that you can find the certificate on your disk and do these steps manual.

Is there no protocol what this tool is doing, where the certificates are saved and when it crashed?


#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.