Applicable to:
- Plesk for Linux
- Plesk for Windows
Symptoms
-
Let's Encrypt certificate installation fails with the following error in Plesk UI:
PLESK_ERROR: The "Certificates per Registered Domain" rate limit has been exceeded for example.com. Let's Encrypt allows no more than 50 certificates to be issued per registered domain, per week.
Details:
Status: 429
Detail: Error creating new cert :: too many certificates already issued for exact set of domains: example.com,www.example.comPLESK_ERROR: Error: Could not issue a Let's Encrypt SSL/TLS certificate for example.com.
One of the Let's Encrypt rate limits has been exceeded for example.com.
See the related Knowledge Base article for details.
- Details:
Invalid response from https://acme-v02.api.letsencrypt.org/acme/neworder.
Details:
Type: urn:ietf:params:acme:error:rateLimited
Status: 429
Detail: Error creating new order :: too many certificates already issued for exact set of domains: example.com,www.example.com: see https://letsencrypt.org/docs/rate-limits/ -
The following email message is received:
CONFIG_TEXT: Could not renew Let's Encrypt certificates for Administrator (login admin).
Please log in to Plesk and renew the certificates listed below manually.
Renewal of the following Let's Encrypt certificates has failed:
* 'Lets Encrypt example.com' [days to expire: 28]
[-] www.example.com
[-] example.com
Invalid response from https://acme-v02.api.letsencrypt.org/acme/new-order.
Details: Type: urn:ietf:params:acme:error:rateLimited
Status: 429 Detail: Error creating new order :: too many currently pending authorizations: see https://letsencrypt.org/docs/rate-limits/
Cause
Too many certificates were created for the domain on a specific period of time. As a result, limit Certificates per Registered Domain which is one of the Let's Encrypt rate limits has been exceeded.
Resolution
The most common rate limit of 50 certificates per domain per 7 days in a place that is set by Let's Encrypt. As the limit is defined by Let's Encrypt directly and cannot be managed through Plesk.
To overcome the issue wait for this week period to pass and reissue the certificate or consider issuing a new Let's Encrypt wildcard certificate.
There are two other limits:
- User can create a maximum of 10 Accounts per IP Address per 3 hours.
- User can create a maximum of 500 Accounts per IP Range within an IPv6 /48 per 3 hours.
See Let's Encrypt Rate Limits documentation for more details.
Note: Subdomains from the same domain zone like example.com and blog.example.com are having the same rate limit. Thus, when first 50 domains of sub.example.com will get the certificate, the rest need to wait for a week.
Note: If the initial error was different, it is required to resolve it prior to re-trying generating a new certificate in 7 days. There is no difference how the request was sent from a command-line interface or from Plesk.
Note: Renewals are treated specially: they don’t count against your Certificates per Registered Domain limit, but they are subject to a Duplicate Certificate limit of 5 per week. (according to Let's Encrypt Rate Limits documentation)
Comments
8 comments
we migrated to a new server running onyx 17.5.3 with let's encrypt extension. while migrating (manually moving, not using tool) we turned off the scheduled task because it was trying to install a certificate before the dns resolved to new server. we manually installed the let's encrypt certificate on each of the website successfully with no errors. i turned on the scheduled task again and now one a day for every website we get the error noted above. there is no way there were too many certificates and there was no way they were expired so why did the extension even try to renew? at this point, i have not found an answer on any forum any where. can someone point me to the right direction or do i need to log a ticket with plesk odin?
@Li Link,
This message is received by extension from Let's Encrypt server.
It depends on different things. If you have a lot of domains with the second level like 123.example.com, test.example.com, hello.example.com, all of them will be counted as one example.com while obtaining a certificate.
Since the migration was done manually, that we do not recommend, it may be hard to find the cause of such behavior.
Please, use Plesk Migrator in future for migrations. It also migrates all the certificates.
Dear Plesk team,
Let's Encrypt has recently (Aug 1) updated its max. number of certificates per domain to 50.
Any chance this will also be implemented in Plesk?
As of today, I'm still getting the older
message...
Would be fabulous to also have this in Plesk (I'm using Version 17.8.11 Update #16)
thanks in advance and all best!
Tobias
Hi, @Tobias Steiner!
Thank you very much for your input.
I will clarify this and will let you know in a couple of days.
Alexandr Redikultsev One challenge is that the extension keeps trying to get a new certificate every hour, ignoring the clear error that you should not send any queries in the near future. (Btw, for the domain in question the option "keep secured" is still disabled).
Interestingly, in panel.log I always see 2 entries:
[2020-10-01 12:09:05.784] ERR [extension/sslit] Unable to renew domain {domainName} certificate automatically Invalid response from https://acme-v02.api.letsencrypt.org/acme/new-order.
Details:
Type: urn:ietf:params:acme:error:rateLimited
Status: 429
Detail: Error creating new order :: too many certificates already issued for exact set of domains: domain.com,www.domain.com: see https://letsencrypt.org/docs/rate-limits/
[2020-10-01 12:09:05.793] ERR [extension/sslit] Failed to renew certificate of domain 'domain.com': Invalid response from https://acme-v02.api.letsencrypt.org/acme/new-order.
Details:
Type: urn:ietf:params:acme:error:rateLimited
Status: 429
Detail: Error creating new order :: too many certificates already issued for exact set of domains: domain.com,www.domain.com: see https://letsencrypt.org/docs/rate-limits/
Hello @b_p!
Could you please clarify what is your concern about this topic - is it just the fact that SSL It! tries renewing the certificate anyway after hitting the rate limits, or is it that there is a lot of errors in the log file and/or a lot of email notifications with the same error? Or maybe something else?
Also, it would be great if you provide your vision on how SSL It! should handle the rate limits issue in general.
Your cooperation is appreciated.
Hello Taras Ermoshin it is about the extension ignoring the rate limit (where I would assume that each attempt would increase the counter on the Let's encrypt side). Interesting fact: It seems that it is actually about creating duplicate certificates (not the limit of certifiacates per domain)!
Hello BP. You are right, that's a different limit: the same certificate can be issued 5 times a week successfully. If you try creating again 6-th time it will fail. Failed attempt won't increase the counter as it does not result into a certificate being created.
We had one known issue in the past when SSL It was still trying to issue certificates again even it was already created, thought it has been fixed more than a year ago.
The limit "too many certificates already issued for exact set of domains" should not be hit as a result of automatic renewals, to check why this happens we would need to review logs on real use-case example. With that said, we encourage you to create a ticket to us in case such an issue occur again.
Please sign in to leave a comment.