Unable to install a Let's Encrypt certificate: Too many certificates already issued for exact set of domains

Follow

Comments

8 comments

  • Avatar
    Li Link

    we migrated to a new server running onyx 17.5.3 with let's encrypt extension.  while migrating (manually moving, not using tool) we turned off the scheduled task because it was trying to install a certificate before the dns resolved to new server.  we manually installed the let's encrypt certificate on each of the website successfully with no errors.  i turned on the scheduled task again and now one a day for every website we get the error noted above.  there is no way there were too many certificates and there was no way they were expired so why did the extension even try to renew?  at this point, i have not found an answer on any forum any where.  can someone point me to the right direction or do i need to log a ticket with plesk odin?

    0
    Comment actions Permalink
  • Avatar
    Alexandr Tumanov

    @Li Link,

    This message is received by extension from Let's Encrypt server.

    It depends on different things. If you have a lot of domains with the second level like 123.example.com, test.example.com, hello.example.com, all of them will be counted as one example.com while obtaining a certificate.

    Since the migration was done manually, that we do not recommend, it may be hard to find the cause of such behavior.

    Please, use Plesk Migrator in future for migrations. It also migrates all the certificates.

    0
    Comment actions Permalink
  • Avatar
    Tobias Steiner (Edited )

    Dear Plesk team,

    Let's Encrypt has recently (Aug 1) updated its max. number of certificates per domain to 50.

    Any chance this will also be implemented in Plesk?

    As of today, I'm still getting the older

    The "Certificates per Registered Domain" rate limit has been exceeded for example.com. Let's Encrypt allows no more than 20 certificates to be issued per registered domain, per week.

    message...

    Would be fabulous to also have this in Plesk (I'm using Version 17.8.11 Update #16)

    thanks in advance and all best!

    Tobias

    0
    Comment actions Permalink
  • Avatar
    Alexandr Redikultsev

    Hi, @Tobias Steiner!

    Thank you very much for your input.

    I will clarify this and will let you know in a couple of days.

    0
    Comment actions Permalink
  • Avatar
    b_p

    Alexandr Redikultsev One challenge is that the extension keeps trying to get a new certificate every hour, ignoring the clear error that you should not send any queries in the near future. (Btw, for the domain in question the option "keep secured" is still disabled).

    Interestingly, in panel.log I always see 2 entries:

    [2020-10-01 12:09:05.784] ERR [extension/sslit] Unable to renew domain {domainName} certificate automatically Invalid response from https://acme-v02.api.letsencrypt.org/acme/new-order.
    Details:
    Type: urn:ietf:params:acme:error:rateLimited
    Status: 429
    Detail: Error creating new order :: too many certificates already issued for exact set of domains: domain.com,www.domain.com: see https://letsencrypt.org/docs/rate-limits/

    [2020-10-01 12:09:05.793] ERR [extension/sslit] Failed to renew certificate of domain 'domain.com': Invalid response from https://acme-v02.api.letsencrypt.org/acme/new-order.
    Details:
    Type: urn:ietf:params:acme:error:rateLimited
    Status: 429
    Detail: Error creating new order :: too many certificates already issued for exact set of domains: domain.com,www.domain.com: see https://letsencrypt.org/docs/rate-limits/

    0
    Comment actions Permalink
  • Avatar
    Taras Ermoshin

    Hello @b_p!

    Could you please clarify what is your concern about this topic - is it just the fact that SSL It! tries renewing the certificate anyway after hitting the rate limits, or is it that there is a lot of errors in the log file and/or a lot of email notifications with the same error? Or maybe something else?

    Also, it would be great if you provide your vision on how SSL It! should handle the rate limits issue in general.

    Your cooperation is appreciated.

    0
    Comment actions Permalink
  • Avatar
    b_p

    Hello Taras Ermoshin it is about the extension ignoring the rate limit (where I would assume that each attempt would increase the counter on the Let's encrypt side). Interesting fact: It seems that it is actually about creating duplicate certificates (not the limit of certifiacates per domain)!

    0
    Comment actions Permalink
  • Avatar
    Anton Maslov

    Hello b_p. You are right, that's a different limit: the same certificate can be issued 5 times a week successfully. If you try creating again 6-th time it will fail. Failed attempt won't increase the counter as it does not result into a certificate being created.

    We had one known issue in the past when SSL It was still trying to issue certificates again even it was already created, thought it has been fixed more than a year ago. 

    The limit "too many certificates already issued for exact set of domains" should not be hit as a result of automatic renewals, to check why this happens we would need to review logs on real use-case example. With that said, we encourage you to create a ticket to us in case such an issue occur again.

    0
    Comment actions Permalink

Please sign in to leave a comment.

Have more questions? Submit a request