Welcome to the Let's Encrypt Community, James
I just completely overhauled the Rate Limits page, but it hasn't been merged yet.
This is the limit you're hitting:
Renewals are treated specially: they don’t count against your Certificates per Registered Domain limit, but they are subject to a Duplicate Certificate limit of 5 per week. Note: renewals used to count against your Certificate per Registered Domain limit until March 2019, but they don’t anymore. Exceeding the Duplicate Certificate limit is reported with the error message
too many certificates already issued for exact set of domains .
This is the new wording:
Message: too many certificates already issued for exact set of domains
Limit: 5 duplicate certificates / 7 days
Hitting this limit is often the result of using the following practices that should be avoided:
- Deleting valid certificates (and their private keys) when attempting to resolve webserver configuration problems
- Spinning-up ephemeral instances that acquire new certificates from the CA rather than utilizing an existing certificate
A certificate is considered a duplicate if it contains the exact same SANs as another certificate, regardless of order. Renewal certificates are duplicate certificates.
Fully Qualified Domain Name (FQDN)
An FQDN is a complete domain name consisting of any subdomain names and an apex domain name.
Apex Domain Name
An apex domain name is usually the trailing part of an FQDN registered through a registrar. For instance,
example.com is the apex domain name of
www.example.com. We use the Public Suffix List to determine the apex domain name for any given FQDN.
Subject Alternative Name (SAN)
Each FQDN that a certificate covers is listed as a SAN in the certificate. A certificate with multiple SANs is sometimes called a unified communications certificate (UCC). Reducing the number of SANs in a certificate reduces the operational complexity associated with using the certificate, resulting in increased performance and reliability.