Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
I ran this command: sudo certbot certonly --standalone
It produced this output:
An unexpected error occurred:
Error creating new order :: too many certificates already issued for "us.to". Retry after 2024-09-16T08:00:00Z: see Rate Limits - Let's Encrypt
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
My web server is (include version): Uhh... It's using nodeJS but I wrote other on the certbot site.
The operating system my web server runs on is (include version): Ubuntu 22.04
My hosting provider, if applicable, is: Azure
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 2.11.0
I need to get it a CA certificate somehow, I cant add more DNS records to it (its using afraid.org)
Can I assume that you've read the rate limit documentation at
?
Let's Encrypt has rate limits on domains to prevent one person or organization from getting an unreasonable number of certificates (which take up Let's Encrypt's resources to issue) for the same service, product, system, or network. These rate limits can be increased in response to requests, but those requests need to come from the owner of the domain name. When a domain name is public (shared by people who have no connection or relationship to each other), it's usually best to register it in the Public Suffix List, which will also improve browsers' handling of cookies set for that domain.
Again, only the domain owner can do this.
To my knowledge, you have four options here (one of which is not great):
Use your own domain rather than a shared public domain. Or, use a shared public domain that has already gone through a registration process so that the rate limits don't apply to it in the same way.
Get the owner of the us.to domain to register with the Public Suffix List or request a rate limit increase from Let's Encrypt (in this situation, the Public Suffix List is likely to be more appropriate).
Use a different ACME CA instead of Let's Encrypt (there are several others that use the same technology to offer free DV certificates).
(The worst option!) Keep trying, though not so often as to hit a different Let's Encrypt rate limit, and hope that you get lucky by being one of the first people to make a request during the appropriate window where the rate limit allows more new certificate issuance.
To clarify on your last two points there, I can't really find another CA that works, there's acme.sh but that keeps saying:
Sep 16 04:57:26 UTC 2024] Pending. The CA is processing your order, please wait. (7/30)
[Mon Sep 16 04:57:31 UTC 2024] Pending. The CA is processing your order, please wait. (8/30)
[Mon Sep 16 04:57:35 UTC 2024] Pending. The CA is processing your order, please wait. (9/30)
, and I cannot add another dns record to the subdomain (as far as I know).
With the last option, is it that there is an appropriate time slot where the rate limit does not apply or something?
I know that its not a problem with certbot or letsencrypt, I already have my own custom domain name with an certificate from here.
You can try but you still may run into rate limits. You are sharing that .us.to name with many other people. Someone may use up the available certs before you.
This is why this is not a good approach long-term. The certs expire after 90 days with renewal usually after 60. You will repeatedly face these problems and will become worse as more people register subdomains of that.
That is why the long-term solution is for the owner of us.to to submit to the Public Suffix List. Or, for you to have your own domain that is not shared.
Well, once the initial cert is created, wouldn't it work to keep renewing it every 60 days thereafter since at that point it's only subject to the Duplicate Certificate limit, not the Certificates per Registered Domain limit?