Wildcard certificate ratelimited


#1

My domain is: helptier.com, *.helptier.com

I ran this command:

certbot/dns-digitalocean certonly \
    --server https://acme-v02.api.letsencrypt.org/directory \
    --dns-digitalocean \

It produced this output:

{
  "type": "urn:ietf:params:acme:error:rateLimited",
  "detail": "Error finalizing order :: too many certificates already issued for exact set of domains: *.helptier.com,helptier.com: see https://letsencrypt.org/docs/rate-limits/",
  "status": 429
}

My web server is (include version):

apache2

The operating system my web server runs on is (include version):

ubuntu 16.04

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

no


#2

Exactly what this says–you issued one cert on 7/1, two on 7/2, and two on 7/3, all for exactly the same domains. What did you do with them? And why are you trying to get more?

Edit: Before that, you issued five certs on 6/24, again all for the same set of domains.


#3

I tried to issue wildcard certificates, but all of them ended up throwing errors because it required DNS authentication.

I was using certbot to renew these certificates and it couldn’t. Finally now I found that I need docker to generate with DNS authentication, but it’s rate limited.

The ones generated on on 7/1, two on 7/2, and two on 7/3 said it’s rate limited.

I haven’t got any certificate in total :frowning:


#4

You have issued at least ten certificates for the combination of helptier.com and *.helptier.com. Take a look on crt.sh.

No, you don’t, though your use of docker might explain where your certificates are going once you generate them.

This rate limit will expire on 7/8. Between now and then, maybe you should work on the staging CA to ensure that the cert is actually saved somewhere once it’s issued, or you’ll be back in the same position again very soon.


#5

Hi @sidHelptier

you have a lot of valid certificates:

https://transparencyreport.google.com/https/certificates?cert_search_auth=&cert_search_cert=&cert_search=include_expired:false;include_subdomains:false;domain:helptier.com&lu=cert_search

But if you use Docker, you must save the account key and the certificates outside of your docker container.

If not, you create a new Docker instance -> you create a new certificate -> you hit the limit quickly.


#6

Thank you, but is there any way I can download the old generated certificates?


#7

Sure, you can download any of the certificates from the transparency logs. But if you threw away the corresponding private keys, the certs won’t be of any use to you–you’re the only one who has those.


#8

Thank you, Let me see if I can find the keys.


#9

The public keys are irrelevant if you had destroyed your Docker Instance and there the private key.

It’s a general problem using Docker. The keys have to be saved outside, so they can be used 60 - 90 days.

And the account key permanent.


#10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.