What to do with keys/0000_key-letsencrypt.pem and csr/0000_csr-letsencrypt.pem


#1

I had a server issue with the .well-known directory. By the time I got it fixed, I started getting:
Error creating new cert :: Too many certificates already issued for: errors.

I know WHY I am getting those errors. I know that I should have use the test option originally… it’s too late for that now.

Is there a command that I can issue that will take the
-rw-r-x— 1 root ssl-cert 3272 Mar 15 12:23 keys/0000_key-letsencrypt.pem
-rw-r-xr-- 1 root ssl-cert 1671 Mar 15 12:23 csr/0000_csr-letsencrypt.pem
files that I ended up with and finish ( locally ) generating the files that letsencrypt would have created if my .well-known directory was setup? I tried using: --keep-until-expiring --reinstall on the letsencrypt-auto certonly command I ran to generate the certs but I still get the “Too many certificates already issued” error.

I don’t want to generate another one… I want to use the
-rw-r-x— 1 root ssl-cert 3272 Mar 15 12:23 keys/0000_key-letsencrypt.pem
-rw-r-xr-- 1 root ssl-cert 1671 Mar 15 12:23 csr/0000_csr-letsencrypt.pem
files that I ended up with and end up with a proper set of cert files.

Thanks


#2

The key and csr files alone won’t do you any good. Those are generated locally and aren’t signed by Let’s Encrypt.

You’ll need the signed certificate, which is an operation only Let’s Encrypt’s CA server can do. If you still have those files (either in /etc/letsencrypt/live/example.com/cert.pem or /etc/letsencrypt/archive/example.com/cert*.pem), you should be able to use them. Otherwise, you’ll have to wait for the rate limit to reset 7 days after your first certificate was issued.


#3

the process never got that far. all I have are the csr and keys files that were locally generated.

If letsncrypt says that I have generated 5 keys for my domain ( and won’t give me any more for a week ) … how can I get one of THOSE existing certs/files from the letsencrypt server and not generate a new one? Is there no ‘recovery’ option to get get keys / certs if you have a issue and don’t have a backup?

Thanks - jack


#4

I’m curious, what was the error you ran into that managed to issue a certificate successfully, but fail to store them on disk? That generally shouldn’t happen. Generating the key happens locally and doesn’t count for the rate limit.

Is this some kind of DynDNS or shared domain, by any chance? Maybe someone else ran into the rate limit for you, so to say.

You could probably extract your certificate via https://crt.sh/. Search for your domain and click on the “Certificate:” link when you’ve clicked through to a specific certificate to get a .crt file.


#5

I’ll look at that https://crt.sh/ thing and see if I can figure out what is what.

I was trying to avoid doing any apache down time. I’ve generated a few certs using letsencrypt. I use this command:
letsencrypt-auto certonly -a webroot --webroot-path=/var/www and have an Alias entry in my httpd.conf file that has:
Alias /.well-known/ /var/www/.well-known/
Alias /.well-known /var/www/.well-known/

as long as the web server can write to that directory, things are good. I was copying a config from another server and had some issues with the httpd access to the webroot-path I was using. I don’t think I have any logs / errors from that unless the system put them someplace for me. I’d get an error about unable to acess/write the .well-known directory, fix my issue and run the command again. I had some typos, path issues, permission issues and by they time I got it all corrected, I started getting the Too many… errors. If I could have gotten 1 more, I would have been fine. :wink: Oh… and I was doing server1.mydomain.com, sever2.mydomain.com, server3.mydomain.com… I wanted to test some auto renewal stuff and didn’t realize I was going to run into the 5 subdomains per week issue… now I know.

jack


#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.