Unable to renew with "certbot-auto certonly"

My domain is: *.gettoeat.com

I ran this command: /usr/local/bin/certbot-auto certonly --manual -d *.gettoeat.com

It produced this output:

------------------------In the beginning---------------------------

Upgrading certbot-auto 0.34.2 to 0.37.2…
Replacing certbot-auto…
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Performing the following challenges:
dns-01 challenge for gettoeat.com


NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you’re running certbot in manual mode on a machine that is not
your server, please ensure you’re okay with that.

Are you OK with your IP being logged?


(Y)es/(N)o: y


Please deploy a DNS TXT record under the name
_acme-challenge.gettoeat.com with the following value:

4JGwX9xqwJMZ-7l267qJJeo4hhHm1lhB45xwQgUwKNk

Before continuing, verify the record is deployed.


Press Enter to Continue
Waiting for verification…
Cleaning up challenges
An unexpected error occurred:
OSError: [Errno 17] File exists: ‘/etc/letsencrypt/archive/gettoeat.com/privkey2.pem’
Please see the logfiles in /var/log/letsencrypt for more details.

-----------------After I backup and remove the ‘/etc/letsencrypt/archive/gettoeat.com/’------------------

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Cert is due for renewal, auto-renewing…
Renewing an existing certificate
An unexpected error occurred:
OSError: [Errno 17] File exists: ‘/etc/letsencrypt/archive/gettoeat.com/privkey2.pem’
Please see the logfiles in /var/log/letsencrypt for more details.

---------------------------------After I tried many times-----------------------------------

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Cert is due for renewal, auto-renewing…
Renewing an existing certificate
An unexpected error occurred:
There were too many requests of a given type :: Error creating new order :: too many certificates already issued for exact set of domains: *.gettoeat.com: see https://letsencrypt.org/docs/rate-limits/
Please see the logfiles in /var/log/letsencrypt for more details.


My web server is (include version): nginx/1.12.2

The operating system my web server runs on is (include version): Centos 7.6

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot-auto 0.37.2

Please post the output of “sudo /usr/local/bin/certbot-auto certificates” and “sudo ls -alR /etc/letsencrypt/”.

1 Like
$ sudo /usr/local/bin/certbot-auto certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewal configuration file /etc/letsencrypt/renewal/gettoeat.com-0001.conf produced an unexpected error: expected /etc/letsencrypt/live/gettoeat.com-0001/cert.pem to be a symlink. Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: gettoeat.com
    Domains: *.gettoeat.com
    Expiry Date: 2019-08-27 00:22:21+00:00 (VALID: 18 hour(s))
    Certificate Path: /etc/letsencrypt/live/gettoeat.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/gettoeat.com/privkey.pem

The following renewal configurations were invalid:
  /etc/letsencrypt/renewal/gettoeat.com-0001.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

and

$ sudo ls -alR /etc/letsencrypt/
/etc/letsencrypt/:
total 80
drwxr-xr-x.   9 root root  4096 Aug 26 13:44 .
drwxr-xr-x. 102 root root  8192 Aug 26 11:29 ..
drwx------.   4 root root    84 Nov  3  2018 accounts
drwx------.   5 root root    72 Aug 26 11:40 archive
drwxr-xr-x.   2 root root 16384 Aug 26 11:48 csr
drwx------.   2 root root 16384 Aug 26 11:48 keys
drwx------.   3 root root    38 May 29 09:30 live
-rw-r--r--.   1 root root  1591 May 28 08:46 options-ssl-apache.conf
-rw-r--r--.   1 root root  1143 Nov  3  2018 options-ssl-nginx.conf
drwxr-xr-x.   2 root root    59 May 29 09:22 renewal
drwxr-xr-x.   5 root root    40 Nov  3  2018 renewal-hooks
-rw-r--r--.   1 root root   424 Nov  3  2018 ssl-dhparams.pem
-rw-r--r--.   1 root root    64 May 28 08:46 .updated-options-ssl-apache-conf-digest.txt
-rw-r--r--.   1 root root    64 Nov  3  2018 .updated-options-ssl-nginx-conf-digest.txt
-rw-r--r--.   1 root root    64 Nov  3  2018 .updated-ssl-dhparams-pem-digest.txt

/etc/letsencrypt/accounts:
total 4
drwx------. 4 root root   84 Nov  3  2018 .
drwxr-xr-x. 9 root root 4096 Aug 26 13:44 ..
drwx------. 3 root root   22 Nov  3  2018 acme-staging-v02.api.letsencrypt.org
drwx------. 3 root root   22 Nov  3  2018 acme-v02.api.letsencrypt.org

/etc/letsencrypt/accounts/acme-staging-v02.api.letsencrypt.org:
total 0
drwx------. 3 root root 22 Nov  3  2018 .
drwx------. 4 root root 84 Nov  3  2018 ..
drwx------. 3 root root 45 Nov  3  2018 directory

/etc/letsencrypt/accounts/acme-staging-v02.api.letsencrypt.org/directory:
total 0
drwx------. 3 root root 45 Nov  3  2018 .
drwx------. 3 root root 22 Nov  3  2018 ..
drwx------. 2 root root 61 Nov  3  2018 ac8971981c35d968dfbb56270ffead9f

/etc/letsencrypt/accounts/acme-staging-v02.api.letsencrypt.org/directory/ac8971981c35d968dfbb56270ffead9f:
total 12
drwx------. 2 root root   61 Nov  3  2018 .
drwx------. 3 root root   45 Nov  3  2018 ..
-rw-r--r--. 1 root root  107 Nov  3  2018 meta.json
-r--------. 1 root root 1632 Nov  3  2018 private_key.json
-rw-r--r--. 1 root root   85 Nov  3  2018 regr.json

/etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org:
total 0
drwx------. 3 root root 22 Nov  3  2018 .
drwx------. 4 root root 84 Nov  3  2018 ..
drwx------. 3 root root 45 Nov  3  2018 directory

/etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory:
total 0
drwx------. 3 root root 45 Nov  3  2018 .
drwx------. 3 root root 22 Nov  3  2018 ..
drwx------. 2 root root 61 Nov  3  2018 44f3516774df49eeb42f284807a02448

/etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory/44f3516774df49eeb42f284807a02448:
total 12
drwx------. 2 root root   61 Nov  3  2018 .
drwx------. 3 root root   45 Nov  3  2018 ..
-rw-r--r--. 1 root root  107 Nov  3  2018 meta.json
-r--------. 1 root root 1632 Nov  3  2018 private_key.json
-rw-r--r--. 1 root root   78 Nov  3  2018 regr.json

/etc/letsencrypt/archive:
total 8
drwx------. 5 root root   72 Aug 26 11:40 .
drwxr-xr-x. 9 root root 4096 Aug 26 13:44 ..
drwxr-xr-x. 2 root root   79 Aug 26 11:41 gettoeat.com
drwxr-xr-x. 2 root root   79 May 29 09:33 gettoeat.com-0001
drwxr-xr-x. 2 root root 4096 Mar  5 02:01 gettoeat.com-bak

/etc/letsencrypt/archive/gettoeat.com:
total 16
drwxr-xr-x. 2 root root   79 Aug 26 11:41 .
drwx------. 5 root root   72 Aug 26 11:40 ..
-rw-r--r--. 1 root root 2147 Aug 26 11:41 cert1.pem
-rw-r--r--. 1 root root 1647 Aug 26 11:41 chain1.pem
-rw-r--r--. 1 root root 3794 Aug 26 11:41 fullchain1.pem
-rw-r--r--. 1 root root 1704 Aug 26 11:41 privkey1.pem

/etc/letsencrypt/archive/gettoeat.com-0001:
total 16
drwxr-xr-x. 2 root root   79 May 29 09:33 .
drwx------. 5 root root   72 Aug 26 11:40 ..
-rw-r--r--. 1 root root 1907 May 29 09:22 cert1.pem
-rw-r--r--. 1 root root 1647 May 29 09:22 chain1.pem
-rw-r--r--. 1 root root 3554 May 29 09:22 fullchain1.pem
-rw-------. 1 root root 1704 May 29 09:22 privkey1.pem

/etc/letsencrypt/archive/gettoeat.com-bak:
total 52
drwxr-xr-x. 2 root root 4096 Mar  5 02:01 .
drwx------. 5 root root   72 Aug 26 11:40 ..
-rw-r--r--. 1 root root 2147 Nov  3  2018 cert1.pem
-rw-r--r--. 1 root root 2147 Nov  3  2018 cert2.pem
-rw-r--r--. 1 root root 1927 Mar  5 02:01 cert3.pem
-rw-r--r--. 1 root root 1647 Nov  3  2018 chain1.pem
-rw-r--r--. 1 root root 1647 Nov  3  2018 chain2.pem
-rw-r--r--. 1 root root 1647 Mar  5 02:01 chain3.pem
-rw-r--r--. 1 root root 3794 Nov  3  2018 fullchain1.pem
-rw-r--r--. 1 root root 3794 Nov  3  2018 fullchain2.pem
-rw-r--r--. 1 root root 3574 Mar  5 02:01 fullchain3.pem
-rw-r--r--. 1 root root 1704 Nov  3  2018 privkey1.pem
-rw-r--r--. 1 root root 1704 Nov  3  2018 privkey2.pem
-rw-r--r--. 1 root root 1704 Mar  5 02:01 privkey3.pem

/etc/letsencrypt/csr:
total 1944
drwxr-xr-x. 2 root root 16384 Aug 26 11:48 .
drwxr-xr-x. 9 root root  4096 Aug 26 13:44 ..
-rw-r--r--. 1 root root   920 Nov  3  2018 0000_csr-certbot.pem
-rw-r--r--. 1 root root   920 Nov  3  2018 0001_csr-certbot.pem
-rw-r--r--. 1 root root   936 Nov  3  2018 0002_csr-certbot.pem
-rw-r--r--. 1 root root   944 Jan 13  2019 0003_csr-certbot.pem
-rw-r--r--. 1 root root   920 Mar  5 01:24 0004_csr-certbot.pem
-rw-r--r--. 1 root root   936 Mar  5 01:24 0005_csr-certbot.pem
-rw-r--r--. 1 root root   944 Mar  5 01:40 0006_csr-certbot.pem
-rw-r--r--. 1 root root   920 Mar  5 01:46 0007_csr-certbot.pem
-rw-r--r--. 1 root root   936 Mar  5 01:46 0008_csr-certbot.pem
-rw-r--r--. 1 root root   944 Mar  5 01:47 0009_csr-certbot.pem
-rw-r--r--. 1 root root   936 Mar  5 02:04 0010_csr-certbot.pem
(... with similar files)
-rw-r--r--. 1 root root   924 Aug 26 11:42 0478_csr-certbot.pem
-rw-r--r--. 1 root root   924 Aug 26 11:48 0479_csr-certbot.pem

/etc/letsencrypt/keys:
total 1944
drwx------. 2 root root 16384 Aug 26 11:48 .
drwxr-xr-x. 9 root root  4096 Aug 26 13:44 ..
-rw-------. 1 root root  1704 Nov  3  2018 0000_key-certbot.pem
-rw-------. 1 root root  1704 Nov  3  2018 0001_key-certbot.pem
-rw-------. 1 root root  1704 Nov  3  2018 0002_key-certbot.pem
-rw-------. 1 root root  1704 Jan 13  2019 0003_key-certbot.pem
-rw-------. 1 root root  1704 Mar  5 01:24 0004_key-certbot.pem
-rw-------. 1 root root  1704 Mar  5 01:24 0005_key-certbot.pem
-rw-------. 1 root root  1704 Mar  5 01:40 0006_key-certbot.pem
-rw-------. 1 root root  1704 Mar  5 01:46 0007_key-certbot.pem
-rw-------. 1 root root  1704 Mar  5 01:46 0008_key-certbot.pem
-rw-------. 1 root root  1704 Mar  5 01:47 0009_key-certbot.pem
-rw-------. 1 root root  1704 Mar  5 02:04 0010_key-certbot.pem
(... with similar files)
-rw-------. 1 root root  1704 Aug 26 11:42 0478_key-certbot.pem
-rw-------. 1 root root  1704 Aug 26 11:48 0479_key-certbot.pem

/etc/letsencrypt/live:
total 8
drwx------. 3 root root   38 May 29 09:30 .
drwxr-xr-x. 9 root root 4096 Aug 26 13:44 ..
drwxr-xr-x. 2 root root   88 May 29 09:22 gettoeat.com
-rw-r--r--. 1 root root  740 May 29 09:22 README

/etc/letsencrypt/live/gettoeat.com:
total 4
drwxr-xr-x. 2 root root  88 May 29 09:22 .
drwx------. 3 root root  38 May 29 09:30 ..
lrwxrwxrwx. 1 root root  41 May 29 09:22 cert.pem -> ../../archive/gettoeat.com-0001/cert1.pem
lrwxrwxrwx. 1 root root  42 May 29 09:22 chain.pem -> ../../archive/gettoeat.com-0001/chain1.pem
lrwxrwxrwx. 1 root root  46 May 29 09:22 fullchain.pem -> ../../archive/gettoeat.com-0001/fullchain1.pem
lrwxrwxrwx. 1 root root  44 May 29 09:22 privkey.pem -> ../../archive/gettoeat.com-0001/privkey1.pem
-rw-r--r--. 1 root root 692 May 29 09:22 README

/etc/letsencrypt/renewal:
total 12
drwxr-xr-x. 2 root root   59 May 29 09:22 .
drwxr-xr-x. 9 root root 4096 Aug 26 13:44 ..
-rw-r--r--. 1 root root  560 May 29 09:22 gettoeat.com-0001.conf
-rw-r--r--. 1 root root  557 Mar  5 02:01 gettoeat.com.conf

/etc/letsencrypt/renewal-hooks:
total 4
drwxr-xr-x. 5 root root   40 Nov  3  2018 .
drwxr-xr-x. 9 root root 4096 Aug 26 13:44 ..
drwxr-xr-x. 2 root root    6 Nov  3  2018 deploy
drwxr-xr-x. 2 root root    6 Nov  3  2018 post
drwxr-xr-x. 2 root root    6 Nov  3  2018 pre

/etc/letsencrypt/renewal-hooks/deploy:
total 0
drwxr-xr-x. 2 root root  6 Nov  3  2018 .
drwxr-xr-x. 5 root root 40 Nov  3  2018 ..

/etc/letsencrypt/renewal-hooks/post:
total 0
drwxr-xr-x. 2 root root  6 Nov  3  2018 .
drwxr-xr-x. 5 root root 40 Nov  3  2018 ..

/etc/letsencrypt/renewal-hooks/pre:
total 0
drwxr-xr-x. 2 root root  6 Nov  3  2018 .
drwxr-xr-x. 5 root root 40 Nov  3  2018 ..

Thank you!

Those links need to point to the files in ../../archive/gettoeat.com/, not ../../archive/gettoeat.com-0001/. Otherwise Certbot gets confused.

Edit:

Eventually, it would be worth cleaning up the old configuration file in /etc/letsencrypt/renewal/ and the old directories in /etc/letsencrypt/archive/. But fixing things now is what's important.

2 Likes

Thank you, but no matter what I did, when I use the command certbot-auto certonly --manual -d *.gettoeat.com it always says:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
An unexpected error occurred:
There were too many requests of a given type :: Error creating new order :: too many certificates already issued for exact set of domains: *.gettoeat.com: see https://letsencrypt.org/docs/rate-limits/
Please see the logfiles in /var/log/letsencrypt for more details.

So what can I do now? Because the certificate is going to be expired tomorrow, if it is possible to be fixed within one day? Thanks a lot!!

Hi @greenseedyo

you have already created 5 identical certificates ( https://check-your-website.server-daten.de/?q=gettoeat.com#ct-logs )

Issuer not before not after Domain names LE-Duplicate next LE
Let's Encrypt Authority X3 2019-08-26 2019-11-24 *.gettoeat.com - 1 entries duplicate nr. 4
Let's Encrypt Authority X3 2019-08-26 2019-11-24 *.gettoeat.com - 1 entries duplicate nr. 3
Let's Encrypt Authority X3 2019-08-26 2019-11-24 *.gettoeat.com - 1 entries duplicate nr. 2
Let's Encrypt Authority X3 2019-08-26 2019-11-24 *.gettoeat.com - 1 entries duplicate nr. 1

The last is missing.

All certificates today. Where are these? Use one of these.

Certonly -> the certificate isn't installed.

Did you restart your webserver?

1 Like

/etc/letsencrypt/archive/gettoeat.com/ appears to contain one of the certificates that was issued today, so fixing the symlinks should resolve that problem.

1 Like

@JuergenAuer Hi, what I did today was run the command /usr/local/bin/certbot-auto certonly --manual -d *.gettoeat.com for many times, because I tried to solve the errors so I ran it again and again. I didn’t restart my webserver.

@mnordhoff Hi, I’ve tried to update the symlinks but it still not work. The files in the archive/gettoeat.com/ dir are as follows:

-rw-r--r--. 1 root root 2147 Nov  3  2018 cert1.pem
-rw-r--r--. 1 root root 2147 Nov  3  2018 cert2.pem
-rw-r--r--. 1 root root 1927 Mar  5 02:01 cert3.pem
-rw-r--r--. 1 root root 1647 Nov  3  2018 chain1.pem
-rw-r--r--. 1 root root 1647 Nov  3  2018 chain2.pem
-rw-r--r--. 1 root root 1647 Mar  5 02:01 chain3.pem
-rw-r--r--. 1 root root 3794 Nov  3  2018 fullchain1.pem
-rw-r--r--. 1 root root 3794 Nov  3  2018 fullchain2.pem
-rw-r--r--. 1 root root 3574 Mar  5 02:01 fullchain3.pem
-rw-r--r--. 1 root root 1704 Nov  3  2018 privkey1.pem
-rw-r--r--. 1 root root 1704 Nov  3  2018 privkey2.pem
-rw-r--r--. 1 root root 1704 Mar  5 02:01 privkey3.pem

The dates are also in the past, none of them is generated today.

I’ve also tried to remove all the files in archive/, renewal/, and live/, but the result was still the same.

In your previous ls, the gettoeat.com directory contained a set of files from today, and the gettoeat.com-bak directory contained the three sets of older files.

Sorry, I didn’t make it clearly.

Actually, the files in gettoeat.com are all copied from the gettoeat.com-bak, because the error message said that File exists: '/etc/letsencrypt/archive/gettoeat.com/privkey2.pem', so I moved gettoeat.com to gettoeat.com-bak and copied the privakey1.pem files back.

I’ve tried to recover the gettoeat.com as same as gettoeat.com-bak, and updated the symlinks, but still got the same error message.

Which error message? The one about the rate limit?

You’re not going to be able to issue more duplicate certificates until the rate limit is passed.

But if you use one of the five new certificates you already made, you won’t need to issue another one.

I see, but may I ask that after I choose a certificate listed on https://check-your-website.server-daten.de/?q=gettoeat.com#ct-logs, I couldn’t find any related privkey.pem in my filesystem, if it is possible to regenerate it? Thanks a lot!

Certbot stores two copies of each private key:

  1. The numerically named files in /etc/letsencrypt/keys/, and

  2. The privkey files in /etc/letsencrypt/archive/.

Do you still have them?

Yes! they are still in keys/ directory, and I can match each of them by the date information.

I’ve tried to download one of them and put the .pem files together, with copying chain.pem from the old valid one, and self-generated fullchain.pem by put cert.pem and chain.pem together. Then I restarted nginx and opened the webpage, but the certificate was invalid (displayed NET::ERR_CERT_INVALID in Chrome).

I wonder that the downloaded files from https://check-your-website.server-daten.de/?q=gettoeat.com#ct-logs are kind of missing something? because the length is shorter than the old ones, the downloaded files are like:

-----BEGIN CERTIFICATE-----
MIIEYTCCA0mgAwIBAgISA6ZCE3wBQ1NFTONn6U6aMPHhMA0GCSqGSIb3DQEBCwUAMEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQDExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xOTA4MjYwMjM0NTVaFw0xOTExMjQwMjM0NTVaMBkxFzAVBgNVBAMMDiouZ2V0dG9lYXQuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAw69UzIcd4GoxP6uZTuyKaUFQH9vRXb2kkyg/niJD0c30C0AIKly/ClrEGPQtmgP9M0oX1APdxDGpMdv0+pwURCl1fbin+IV6Fwr6EAndPtqRmBNgk0tJxU9wi1X9XTwOTlVz6TzJaG9/URls2ZDO7dDPTyH7j8l1kbXpJqU3/6TbCkLiREVOX7VPMrepoHbTUOkqDMEs0uuRn992TKZnyG7LELlnGZ2xRgUXagXoJig4DQ01lZ+g+vvbQ0L2nV3woDHybJn6u66pINz3SvsUjDG1sfZQYzZs7sTnpralOwDsnZh78COpEYvSW7q3pjYcSdwlKsVDDQ+aE6HO4mowgQIDAQABo4IBcDCCAWwwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBQl+4Q4PfTcPgHqoCFCkwbCs0+y1DAfBgNVHSMEGDAWgBSoSmpjBH3duubRObemRWXv86jsoTBvBggrBgEFBQcBAQRjMGEwLgYIKwYBBQUHMAGGImh0dHA6Ly9vY3NwLmludC14My5sZXRzZW5jcnlwdC5vcmcwLwYIKwYBBQUHMAKGI2h0dHA6Ly9jZXJ0LmludC14My5sZXRzZW5jcnlwdC5vcmcvMBkGA1UdEQQSMBCCDiouZ2V0dG9lYXQuY29tMEwGA1UdIARFMEMwCAYGZ4EMAQIBMDcGCysGAQQBgt8TAQEBMCgwJgYIKwYBBQUHAgEWGmh0dHA6Ly9jcHMubGV0c2VuY3J5cHQub3JnMBMGCisGAQQB1nkCBAMBAf8EAgUAMA0GCSqGSIb3DQEBCwUAA4IBAQAjomFT2iL2Qnz0CQGHiR1Oy1uF1QAQ/ppOchFl8dlY3isYe/tcmIeb4f3jBIevlCDbFCRKKd86OHxZxJx6e7O+Ot7Yuqkt73qEPPUFsuDvYBZ2wSsizCIp+SkkpdFkUtM5t+NMrgdZ1dXul0QgT2pyU6huw5arXItC0tE4ZztPsv2CGmBB5vyLHCpTKBSGCBQgvrYFE/5G61wYKOSHVCK+YX/wLFBqJeXef0VvZjI96panQZN2+I4TXnLQ+0GDQv6X1TRoBeRWXLpqne3pvFefSwYiqBs348gjqX/yQ3qyFP3UnkHrcIKyTlHSYtF6m2LyUeTt7SLJyoF6gPPIOeI7-----END CERTIFICATE-----

After adding breaks:

-----BEGIN CERTIFICATE-----
MIIEYTCCA0mgAwIBAgISA6ZCE3wBQ1NFTONn6U6aMPHhMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xOTA4MjYwMjM0NTVaFw0x
OTExMjQwMjM0NTVaMBkxFzAVBgNVBAMMDiouZ2V0dG9lYXQuY29tMIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAw69UzIcd4GoxP6uZTuyKaUFQH9vRXb2k
kyg/niJD0c30C0AIKly/ClrEGPQtmgP9M0oX1APdxDGpMdv0+pwURCl1fbin+IV6
Fwr6EAndPtqRmBNgk0tJxU9wi1X9XTwOTlVz6TzJaG9/URls2ZDO7dDPTyH7j8l1
kbXpJqU3/6TbCkLiREVOX7VPMrepoHbTUOkqDMEs0uuRn992TKZnyG7LELlnGZ2x
RgUXagXoJig4DQ01lZ+g+vvbQ0L2nV3woDHybJn6u66pINz3SvsUjDG1sfZQYzZs
7sTnpralOwDsnZh78COpEYvSW7q3pjYcSdwlKsVDDQ+aE6HO4mowgQIDAQABo4IB
cDCCAWwwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF
BQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBQl+4Q4PfTcPgHqoCFCkwbCs0+y
1DAfBgNVHSMEGDAWgBSoSmpjBH3duubRObemRWXv86jsoTBvBggrBgEFBQcBAQRj
MGEwLgYIKwYBBQUHMAGGImh0dHA6Ly9vY3NwLmludC14My5sZXRzZW5jcnlwdC5v
cmcwLwYIKwYBBQUHMAKGI2h0dHA6Ly9jZXJ0LmludC14My5sZXRzZW5jcnlwdC5v
cmcvMBkGA1UdEQQSMBCCDiouZ2V0dG9lYXQuY29tMEwGA1UdIARFMEMwCAYGZ4EM
AQIBMDcGCysGAQQBgt8TAQEBMCgwJgYIKwYBBQUHAgEWGmh0dHA6Ly9jcHMubGV0
c2VuY3J5cHQub3JnMBMGCisGAQQB1nkCBAMBAf8EAgUAMA0GCSqGSIb3DQEBCwUA
A4IBAQAjomFT2iL2Qnz0CQGHiR1Oy1uF1QAQ/ppOchFl8dlY3isYe/tcmIeb4f3j
BIevlCDbFCRKKd86OHxZxJx6e7O+Ot7Yuqkt73qEPPUFsuDvYBZ2wSsizCIp+Skk
pdFkUtM5t+NMrgdZ1dXul0QgT2pyU6huw5arXItC0tE4ZztPsv2CGmBB5vyLHCpT
KBSGCBQgvrYFE/5G61wYKOSHVCK+YX/wLFBqJeXef0VvZjI96panQZN2+I4TXnLQ
+0GDQv6X1TRoBeRWXLpqne3pvFefSwYiqBs348gjqX/yQ3qyFP3UnkHrcIKyTlHS
YtF6m2LyUeTt7SLJyoF6gPPIOeI7
-----END CERTIFICATE-----

and the old valid one is like:

-----BEGIN CERTIFICATE-----
MIIFVDCCBDygAwIBAgISA6ch+H7znr0Oizzw1kgdlVYbMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xOTA1MjkwMDIyMjFaFw0x
OTA4MjcwMDIyMjFaMBkxFzAVBgNVBAMMDiouZ2V0dG9lYXQuY29tMIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzkCJyLwJ9YwoeVOxWaKW6RFByFrpThLq
Uln7tKP9rcD2xaggnTYHef6AAK7zulWJBHoqeFOujcWxi36MYeV02lhgXyz2FIPN
t2Oox4R9mYbc3dsqJld+TGUMTBzXgEQLItpl6Ygr6Awq4V8mSZp4NmjKXkiR5SHI
yHK+/4NmE+FeQ+HRwSVe936zvh+t6j2FCixM5ABpf/Cm3axvCujFkkHP9MtMOkPQ
iFsKLRnOHQqlFYeb5WDVH+s6j0i/4yFn5mkfrePF6efgf9he0wr5+uUTH2tqoKUz
Hbpgoav46KFp/mgbzDE7VQ+s9ZlyXZnC6agQeHadRdmD/viSwc9aMQIDAQABo4IC
YzCCAl8wDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF
BQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBT32zk7Mc3l6QOKRAAkbSOPLLiz
wzAfBgNVHSMEGDAWgBSoSmpjBH3duubRObemRWXv86jsoTBvBggrBgEFBQcBAQRj
MGEwLgYIKwYBBQUHMAGGImh0dHA6Ly9vY3NwLmludC14My5sZXRzZW5jcnlwdC5v
cmcwLwYIKwYBBQUHMAKGI2h0dHA6Ly9jZXJ0LmludC14My5sZXRzZW5jcnlwdC5v
cmcvMBkGA1UdEQQSMBCCDiouZ2V0dG9lYXQuY29tMEwGA1UdIARFMEMwCAYGZ4EM
AQIBMDcGCysGAQQBgt8TAQEBMCgwJgYIKwYBBQUHAgEWGmh0dHA6Ly9jcHMubGV0
c2VuY3J5cHQub3JnMIIBBAYKKwYBBAHWeQIEAgSB9QSB8gDwAHYAdH7agzGtMxCR
IZzOJU9CcMK//V5CIAjGNzV55hB7zFYAAAFrAS5SigAABAMARzBFAiAmBCI8+cP4
l9bDKSNVZ8222v+DZWrCnf/Dp4Y5viH9mwIhAOTsCgwVOe1+CGqjXTH85kupvbpv
M0XhwcGAu3LWPnk6AHYAKTxRllTIOWW6qlD8WAfUt2+/WHopctykwwz05UVH9HgA
AAFrAS5SeAAABAMARzBFAiEA9eYQoRP5zKAgDVTaMhwcQtr1YM0fmnmNw/X1sCyN
TzQCIBQZHcsyn0Tt7XIWBkMrF62izRWMALZTMUlYcgnjVVkvMA0GCSqGSIb3DQEB
CwUAA4IBAQB5rwX+73JZpoBe3lm7L/9JL6GQC3e/UUx2Wyl4pHI7O24K+hOLrkyK
SxZMvYw8esuKStOUd/3eKumGpCeQjXiBDQHQbSjBDZbcFYFJ4DY7fPCjuoFkac6P
60NPSWuGUvwTDWhB/2h4ooAtHek2vIHew4FAo78ldyKESDCTU5Eyr4u1zntDQdOs
nxViwroByU5WLdnL4YLwZFfDP9aXvwP/68prHSXI54GwFjOl08GuTkA/Hhy2viBh
EDJ3fPHNqOgaESF+toyXov4PXUlKTKqTd6jBpQuSMaOlfpEHTK/AW43KtmHImlNL
syHR6LD4IeH7NE7RgsKH/g9A+2nGteAE
-----END CERTIFICATE-----

The downloaded ones have total 26 lines after adding breaks; and the old valid one has 31 lines. Don’t know if that’s where the problem is.

if it’s possible to regenerate the cert.pem by openssl command? The corresponded csr files are still in /etc/letsencrypt/csr as well, but I’m not so familiar with generating the cert files…

What's the certificate you have downloaded?

Testet with my own certificate: Downloaded the pem file, added a .crt extension under Windows, then it's possible to open the certificate.

So

  • it's valid base64 and
  • it's a valid certificate

If not, Windows wouldn't be able to open the certificate.

PS: Checked the certificate you have downloaded.

That’s a pre certificate, so you can’t use it.

Must check if there is a leaf certificate.

The problem is related to Certificate Transparency, and how Let’s Encrypt and many other CAs implement it.

  1. The CA issues a “precertificate”, which is just like the real certificate, except it has a special “poison” extension that tells clients it’s not a valid certificate.
  2. The CA submits the precertificate to some CT logs, getting back SCTs, proof that the precertificate exists and when they submitted it.
  3. The CA issues the real certificate, with a special extension containing the SCTs.
  4. Optionally, the CA may log the real certificate to CT logs, just for fun.

The precertificates cannot be used. The real certificates are bigger.

The website crt.sh is backlogged processing records from some CT logs, and consequentially final certificates from Let’s Encrypt do not show up quickly.

For your recent certificates, crt.sh only has the precertificates available to download.

The good news is that you can get the serial numbers from crt.sh and then use those to download the real certificates from Let’s Encrypt.

For example, your most recent (pre)certificate:

https://crt.sh/?id=1810947597

Serial number:

03:c3:bb:49:de:e5:2a:fc:5f:6a:28:88:78:76:2e:cf:d3:fb

Remove the colons and get:

03c3bb49dee52afc5f6a288878762ecfd3fb

And download the certificate (and intermediate) from:

https://acme-v02.api.letsencrypt.org/acme/cert/03c3bb49dee52afc5f6a288878762ecfd3fb

1 Like

As an alternative, you can avoid the duplicate certificate rate limit by issuing a new certificate that is not a duplicate – such as getting a certificate for the two names "gettoeat.com and *.gettoeat.com" instead of just “*.gettoeat.com”.

I’m leery of issuing a new certificate until after confirming Certbot’s files are consistent and saving it will actually work, though. Don’t want this whole thing to happen again.

You could try issuing a new certificate with --staging to use the Let’s Encrypt staging environment. (It issues test certificates that aren’t trusted, but it has high rate limits.) If it works, you could replace it with a proper certificate.

By the way, regarding deleting a certiifcate and its files. There are two risks: If you do it incorrectly, Certbot will get confused. And if you still need the certificate, you’re in trouble.

certbot delete is Certbot’s supported way to delete a certificate. That avoids Certbot confusing itself, but it doesn’t solve external problems – like if your web server is still configured to use the certificate, so it won’t work if the files no longer exist, or if you later discover you still need it.

Thanks for the detailed instruction, and finally the certificate works!!

I will try using --staging next time, and try not to let the Certbot get confused.

I appreciate your help, thank you so much!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.