Waited 24 hours and this is still returned

The Let’s Encrypt service did not issue a valid certificate in the time allowed. Failed to get new certificate from LetsEncrypt :: Unexpected error
+Response from server:
+ Code: 429
+ Content: {
“type”: “urn:acme:error:rateLimited”,
“detail”: “Error creating new cert :: too many certificates already issued for exact set of domains: : see https://letsencrypt.org/docs/rate-limits/”,
“status”: 429
}

Not sure why it would be rate limited 24 hours later meanwhile my domain sits expired… How can I get the certificate issued?

Depends on how many certificates were issued in which time frame. The error message refers to the “Duplicate Certificate” rate limit of 5 certificates per week. (Which is a sliding window of exactly 7 days.)

So if you got all 5 certificates issued on the same day, you’ll have to wait seven days.

But without the relevant domain names we can’t check that for you.

Well it is one certificate for a base domain and then www.domain.com

So it was nowhere near 5… And the service never responded with the certificate the first time it was requested… If it is counting that against me, that is ridiculous and now my website sits inaccessible as I have HSTS enabled and now the certificate has expired… If I can’t get a certificate I guess it’s time to go to Thawte… I can’t afford for the website to be down.

You can check how many certificates were issued on https://crt.sh/ yourself if you’re not willing to share the domain name with us :slight_smile:

I don’t think my customer would appreciate me sharing the info LOL… This may be a contributing factor?
https://letsencrypt.status.io/

Looks like there are some… Issues

If the tls-sni challenge issue was part of some error, you wouldn’t get any certificate issued. Let alone 5. So that isn’t the problem here.

The problem here you’ve managed to get 5 exactly the same certificates issued within the time period of 7 days.

image

I see three… So I am still not understanding why I am getting the renewal error 429…

So where are the other two??

Those certificates shouldn’t be a problem. The most recent is more than 7 days ago. You sure you’ve entered the correct hostname(s)?

Yes. I use Certify in this instance and it usually auto renews… Something went wrong with it this time around and this error has come up…

Here is another one I am having problems with…

image

Looks like it tried to auto renew since December and was unable to the cert I have on the server is the one that expired 1/12/2018

So if there was indeed a cert generated 1/12/2018, how do I get it?

And apparently, the server does not have the private key… So even if these certificates are revoked it looks like I have to wait 7 days? Sure would love to know what went wrong. This has been working for a year…

you couldn’t’ generate the certificates without the private key - so it should be on your server somewhere. How are you generating the certs ?

With Certify. I have to admit this is easier on *nix. In the problem case I am using certify for Windows…

Revocation doesn’t affect the rate limits. The only thing that counts is when the certificates were issued.

Odd as lets encrypt apparently did not deliever the certificate back in Certify’s opinion…

You can download the certificate from crt.sh. You just also need the corresponding private key, which, as @serverco mentioned, should be somewhere on your server.

Well it is not importing. I found the pfx

ACMESharp\sysVault\99-ASSET

But it has a password… Tried a blank password and it crashes the cryptoshell… Don’t know what password Certify would use so I am still stuck…

Ok so with the help of the digicert app I was able to pull in the pfx and get the cert installed. Guess I am not sure what happened, but it was obviously with the certify app and not let’s encrypt. Hopefully next time it will work as it is supposed to. So the steps here (hopefully it can help someone else)

If certify does not complete the installation:

Grab the pfx from ACMESharp\sysVault\99-ASSET

Use digicert app to import it (There will be no password - This is a problem, and once you have the pair imported I would export it and password protect your pfx…

Then relink the certificate to the site(s) in IIS and all good.

-D-

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.