You've hit the Let's Encrypt rate limits for this domain

I've tried to migrate our website, cruxpsychology.ca to three different servers
Every time I attempt to activate the ssl cert, I'm informed You've hit the Let's Encrypt rate limits for this domain

I've deliberately waited 2 weeks before attempting again to make sure I'm not over the rate limit
However, once again, on the very first try - I get the error again

I don't understand the crt.sh well enough to determine where or what is causing the limit on attempts

2 Likes

What caused all those issuances on December 26th? There were 5 certificates issued..

4 Likes

That's exactly what my question is...

2 Likes

Well, they can't come from nowhere, so probably something or someone on your server is doing it. It seems to have a weekly pattern, so probably a misconfigurd ACME client.

Which ACME client are you using?

4 Likes

I completely understand they are coming from somewhere
I don't know what an ACME client is to know what to look into
All I know is that I'm trying to migrate the website from one server to another - and I can't because something is running too many SSL cert applications
Therefore - why i'm looking for help

2 Likes

Can you find the server definition for this domain in your nginx.conf?

What does the line for the ssl_certificate say?

3 Likes

Checking just now I see @revolve is using one of the certs acquired on 26 December. :+1:

Is this your old server or the new one you're migrating to or migrated to?

3 Likes

I don't know if I have access to the nginx.conf - I'll try today

looking at the current cert (on the old server) I believe it matches crt.sh | 5868711534
what part of this record shows what server has made the request? I'd like to review other records to know if the requests are all coming from the same source

and... in review of crt.sh | %.cruxpsychology.ca
why don't i see any of records for my attempts to add a cert on the new server yesterday?

2 Likes

Only issued certificates are recorded in Certificate Transparancy Logs.

4 Likes

ok... so there were 10 certificates approved for Dec 26-27...
what field shows what server has applied for these?
is it common to have multiple certs for 1 website? (if so - 10?)

2 Likes

By default, pre-certificates are also shown on crt.sh, so you'd need to divide the number by 2. I.e., not 10 but 5 certificates were issued on 26 and 27 december. (Which makes sense, as the duplicate rate limit is 5 per week.)

There's no such field. That's not publicised by Let's Encrypt.

No, it's not. Also, the crt.sh output looks more like a very bad and malfunctioning or misconfigured ACME client trying to get a certificate repeatedly every minute or so! That is NOT what is supposed to do. The ACME client should check if a certificate is due for renewal, usually 60 days after issuance and only IF it's due, renew it. NOT every single minute of the day.

Also, we're lacking seriously in information here, as you haven't filled out the questionnaire which should have been presented to you when you opened a new thread in the #help section. Let's pull that questionnaire up again anyway: (some questions already have been answered, but for completeness, please fill them out again anyway)


Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

4 Likes

My domain is: cruxpsychology.ca

I ran this command: in the new hosting, I trued to activated the request to implement an ssl cert

It produced this output:You've hit the Let's Encrypt rate limits for this domain.

My web server is (include version): don't know

The operating system my web server runs on is (include version): don't know

My hosting provider, if applicable, is: New server SpinUp with an AWS container; old server dynamic hosting

I can login to a root shell on my machine (yes or no, or I don't know): new server, yes; old server, no

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
New server - web interface; old server - plesk, version unknown

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): don't know

2 Likes

Is the old server still running? If not, when did you stop it?

5 Likes

No - it's still hosting the site since I can't get an SSL cert on the new server

2 Likes

Do you know who managed the old server? I.e., who can tell you how that server gets its certificates?

4 Likes

Yes - but that's why I'm here finding answers
I pointed the finger at them earlier... and they said it wasn't them

Now that i have some info - I'll go back again

The more info I can get here - the more I can find the root of the issue

2 Likes

I understand, but we also require information to guide you. Hopefully you have enough at the moment to ask the person managing the older server to stop issuing that rediculous amount of certificates.

3 Likes

I do... and if a follow-up creates more questions, I'll be back

Thanks you and others who contributed...

I may be back

4 Likes

You're welcome to do so! Remember, the more info you can provide, the better :slight_smile:

4 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.