I think I must be misunderstanding something about how the limits on certificate issuance work. As I understand it, I should get 50 per domain per week, however I am being declined even though I am nowhere near that.
When I run certbot, I get this:
Obtaining a new certificate
An unexpected error occurred:
There were too many requests of a given type :: Error creating new order :: too many certificates already issued for exact set of domains: the3guys.com: see https://letsencrypt.org/docs/rate-limits/
On the page linked to, it says:
The main limit is Certificates per Registered Domain (50 per week). A registered domain is, generally speaking, the part of the domain you purchased from your domain name registrar. For instance, in the name www.example.com, the registered domain is example.com
But when I check my previous registration requests, I am still under 50 in the past week.
I just completely overhauled the Rate Limits page, but it hasn't been merged yet.
This is the limit you're hitting:
Renewals are treated specially: they don’t count against your Certificates per Registered Domain limit, but they are subject to a Duplicate Certificate limit of 5 per week. Note: renewals used to count against your Certificate per Registered Domain limit until March 2019, but they don’t anymore. Exceeding the Duplicate Certificate limit is reported with the error message too many certificates already issued for exact set of domains .
This is the new wording:
Message: too many certificates already issued for exact set of domains
Limit: 5 duplicate certificates / 7 days
Hitting this limit is often the result of using the following practices that should be avoided:
Deleting valid certificates (and their private keys) when attempting to resolve webserver configuration problems
Spinning-up ephemeral instances that acquire new certificates from the CA rather than utilizing an existing certificate
Definitions
Duplicate Certificate
A certificate is considered a duplicate if it contains the exact same SANs as another certificate, regardless of order. Renewal certificates are duplicate certificates.
Fully Qualified Domain Name (FQDN)
An FQDN is a complete domain name consisting of any subdomain names and an apex domain name.
Apex Domain Name
An apex domain name is usually the trailing part of an FQDN registered through a registrar. For instance, example.com is the apex domain name of www.example.com. We use the Public Suffix List to determine the apex domain name for any given FQDN.
Subject Alternative Name (SAN)
Each FQDN that a certificate covers is listed as a SAN in the certificate. A certificate with multiple SANs is sometimes called a unified communications certificate (UCC). Reducing the number of SANs in a certificate reduces the operational complexity associated with using the certificate, resulting in increased performance and reliability.
Ok thanks, I was misunderstanding what was meant by "duplicate" certificate as opposed to certificates on the same domain. As I can just keep making up new subdomains so as to avoid the duplicate rule, that is fine for my debugging purposes (the reason why I keep repeating the same thing over and over).
Hey folks I think I spoke too soon, the dry run thing doesn't quite do it for me.
I need the certificate files to actually be created so that I can test the stuff I am building properly. Is there some way to make "dry run" create an untrusted/self-signed certificate?
Or should I just be transferring the certificate files between builds?
If I'm understanding the certbot command line options correctly, you're looking for --test-cert or --staging for it to actually install the fake certificate that the staging environment gives you.
To go along with @petercooperjr's suggestion, you need to also use --break-my-certs for certbot to actually install the fake certificates produced by the staging environment.
Thanks to both you! This is what I needed. I think this is what you folks need to work more on explaining/promoting. The dry run stuff is easy to find, this not so much.
