When will the rate limit be reset so I can renew the cert?

stasdd · January 14, 2021, 5:15pm

Long story short, lego was misconfigured and was run too many times; the cert was issued a lot over a short period of time. Installed bncert tool which fixed configuration errors, but now I have run into a rate limit. How long must I wait until it is cleared? I saw the docs and it said a week but that was for 50 requests, I counted only 26 that were made on:

https://crt.sh/?q=westerndoorandgate.com

My domain is:
westerndoorandgate.com

I ran this command:
sudo /opt/bitnami/bncert-tool

It produced this output:
acme: error: 429 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order
:: urn:ietf:params:acme:error:rateLimited :: Error creating new order :: too
many certificates already issued for exact set of domains:
westerndoorandgate.com,www.westerndoorandgate.com: see
https://letsencrypt.org/docs/rate-limits/, url:

My web server is (include version):
Server version: Apache/2.4.18 (Ubuntu)

The operating system my web server runs on is (include version):
Ubuntu 16.04.5 LTS
Kernel: Linux 4.4.0-1119-aws

JuergenAuer · January 14, 2021, 5:28pm

Hi @stasdd

please read the document complete. Not incomplete.

And why do you want a new certificate. You have a lot of certificates. Use one of these 60 - 85 days, then create the next.

stasdd · January 14, 2021, 6:18pm

Sorry, I don't know the right questions to ask.

A) I read the docs and don't seem to understand what applies to my situation. That's neither here nor there if I can use a cert already issued
B) I don't know where to retrieve the already issued certs since I followed the troubleshooting guide on bitnami (https://docs.bitnami.com/aws/how-to/generate-install-lets-encrypt-ssl/) had me do
rm -rf /opt/bitnami/letsencrypt

So, if you can point me in the right direction, I'd be appreciative. thanks!

danb35 · January 14, 2021, 6:32pm

The error message tells you exactly what applies:

That means you've issued five identical certificates within the last week. Why can't you use one of them?

stasdd · January 14, 2021, 6:47pm

I know WHY i was rate limited as i said in the original post. I just don't know for how long and I wouldn't mind a little more insight to help me avoid it in the future.

And where are the certs that have been issued? since I've deleted the /opt/bitnami/letencrypt folder, where do they live that I can just use them again?

danb35 · January 14, 2021, 7:00pm

I don't think "duplicate certificate limit of 5 per week" is that hard to understand, is it? And doesn't "per week" give you a pretty good idea how long the limit lasts?

stasdd · January 14, 2021, 10:56pm

@danb35 - oooh, so the 14 different issued certificates is actually 5? Because the link I provided shows 14 different certificate requests that completed and on the 16th one the limit kicked in. So having read the documentation that was linked I am still confused as to why the certificate limit didn't kick in after the 5th one like you pointed out. Was there some other category that I fell into that allowed that many certs issued that may also have meant a different time limit before I could request a new one? Is that hard to understand?

I get you don't like having people show up without reading the docs, but sometimes people have questions even after reading them. It doesn't make people lazy or ignorant simply because you don't feel like taking the time to help them.

griffin · January 14, 2021, 11:02pm

The link (address) you provided does not filter out the precertificates, which don't count. Let's Encrypt CT log entries always come in pairs with the actual certificate at the top and the precertificate at the bottom. I've provided a link below that filters out the precertificates.

Note that two certificates are only considered duplicates of one another if they cover the exact same SANs (in any order).

These are the five specific certificates that hit the duplicate certificate rate limit for a certificate covering westerndoorandgate.com and www.westerndoorandgate.com:

griffin · January 14, 2021, 11:13pm

In regards to the rate limit documentation itself, I drafted a complete overhaul of it a month ago that is currently awaiting review.

sahsanu · January 15, 2021, 12:04am

Hello @stasdd,

Just to add a bit more info

You recently issued 8 certificates:

CRT ID      CERT TYPE   DOMAIN (CN)                 KEY ALG      VALID FROM             VALID TO               EXPIRES IN  SANs
3926810251  Final cert  westerndoorandgate.com      RSA 2048bit  2021-Jan-14 14:10 UTC  2021-Apr-14 14:10 UTC  89 days     westerndoorandgate.com
                                                                                                                           www.westerndoorandgate.com

3923147075  Final cert  westerndoorandgate.com      RSA 2048bit  2021-Jan-13 22:56 UTC  2021-Apr-13 22:56 UTC  88 days     westerndoorandgate.com
                                                                                                                           www.westerndoorandgate.com

3923136364  Final cert  westerndoorandgate.com      RSA 2048bit  2021-Jan-13 22:53 UTC  2021-Apr-13 22:53 UTC  88 days     westerndoorandgate.com

3923101966  Final cert  www.westerndoorandgate.com  RSA 2048bit  2021-Jan-13 22:42 UTC  2021-Apr-13 22:42 UTC  88 days     www.westerndoorandgate.com

3923101615  Final cert  westerndoorandgate.com      RSA 2048bit  2021-Jan-13 22:42 UTC  2021-Apr-13 22:42 UTC  88 days     westerndoorandgate.com

3923093407  Final cert  westerndoorandgate.com      RSA 2048bit  2021-Jan-13 22:40 UTC  2021-Apr-13 22:40 UTC  88 days     westerndoorandgate.com
                                                                                                                           www.westerndoorandgate.com

3923080382  Final cert  westerndoorandgate.com      RSA 2048bit  2021-Jan-13 22:36 UTC  2021-Apr-13 22:36 UTC  88 days     westerndoorandgate.com
                                                                                                                           www.westerndoorandgate.com

3923074315  Final cert  westerndoorandgate.com      RSA 2048bit  2021-Jan-13 22:34 UTC  2021-Apr-13 22:34 UTC  88 days     westerndoorandgate.com
                                                                                                                           www.westerndoorandgate.com

So you have issued:

1 certificate covering only domain www.westerndoorandgate.com
2 certificates covering only domain westerndoorandgate.com
5 certificates covering domains westerndoorandgate.com and www.westerndoorandgate.com

Then you can see the rate limit has been applied to certificates covering your 2 domains (westerndoorandgate.com and www.westerndoorandgate.com).

The first certificate was issued on 2021-Jan-13 23:34 UTC so after 7 days you could issue a new certificate covering those 2 domains and that will be on 2021-Jan-20 23:34 UTC.

I hope this is clear now

Cheers,
sahsanu

stasdd · January 15, 2021, 4:44pm

Thank you all for this information - Certs have always been a little confusion for me and I appreciate your help in understanding!