Too many certificates have already been issued

[simensen]

I set up a certificate with Let's Encrypt and all seems to be working fine. However, I'm seeing a lot of failed jobs for renewing the certificate that I do not understand. Mainly because I didn't think there would be automatic renewals and that I'd have to do that on myself in 90 days. It's entirely possible I misunderstood.

Do I have something configured incorrectly? What process is trying to run these renewals and is there a way for me to make it so that they don't do *so many* of these renewals? As far as I understood, I created the one signing request and that was it. Not sure why it would have ever tried to do another?

 

[truecharts]

renewals are automatic..
So you just ran out of the LetsEncrypt ratelimit by doing so yourself as well.

 

[simensen]

renewals are automatic..
So you just ran out of the LetsEncrypt ratelimit by doing so yourself as well.

Hi!

Since this is the first certificate I ever created, I wasn't sure if it was supposed to automatically renew or not. The docs said I should use a valid email address so I could see the renewal reminders from Let's Encrypt. Glad to know it should be happening automatically.

That said, I only went through the process manually exactly once. I just double-checked the certificates page and it looks like it's continuing to renew on its own more rapidly than every 90 days.

My first post had "From March 10th" "Until June 8th". Now, it has "From March 15th" "Until June 13th".

I've not done anything at all with certificates between then and now. And I'd only done it exactly once prior to posting. However, it seems like it's attempting to renew far more often than it should. It appears that I'm getting at least one warning daily:

I'm not sure if I set up something wrong that is making it try to renew more frequently?

One thing I wasn't sure about was "Renew Certificate Days." I set it to 10 because I thought it meant "how many days before expiration do you want to renew." I think the default was something in the single digits?

Other than this, I'm not sure how else I might have done something wrong or how I can fix/correct this.

 

[simensen]

I'm still regularly getting these warnings. I'd just as soon not be causing issues with Let's Encrypt rate limits for fear they might block me or something. I followed the directions the best I could and I still don't understand why it's trying to renew my certificate this frequently. It looks like they are trying to be renewed daily for some reason?

I'm not doing anything manually. I only ever made one request. Why is it trying to renew my certificate every day? How can I debug this more? I'm willing to do the work the help figure out this problem but I don't really know where to start.

Error​

[EFAULT] Failed to issue a new order for Certificate : urn:ietf:params:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new order :: too many certificates (5) already issued for this exact set of domains in the last 168 hours: *.XXX.YYY.ZZZ,XXX.YYY.ZZZ: see https://letsencrypt.org/docs/rate-limits/

It does look like Let's Encrypt treats the renewals separately so maybe this isn't as big of a deal? Still, if this is something I misconfigured, I'd like to fix it! If it's an issue w/ the renewal logic of TrueNAS SCALE, maybe it could be fixed for an upcoming release?

Renewals are treated specially: they don’t count against your Certificates per Registered Domain limit, but they are subject to a Duplicate Certificate limit of 5 per week. Exceeding the Duplicate Certificate limit is reported with the error message too many certificates already issued for exact set of domains.

– https://letsencrypt.org/docs/rate-limits/

 

[Heracles]

Are you trying to renew more than 5 certificates at a time ? If so, that is the problem... You are allowed a total of 5 certificates per week. As such, you should do 4 certs on week 1, then 4 more on week 2, ... They will renew 30 days before they are due, so the first 4 will renew on week 9, the next on week 10, etc.

That way, you will remain within Let's Encrypt's limits.

 

[danb35]

You are allowed a total of 5 certificates per week.

You're allowed five per week for a given set of FQDNs (i.e., five identical certs). There's absolutely no reason a sensibly-configured system should come close to this limit, much less exceed it. Indeed, it would be a rare case where you'd have a need for more than one identical cert in a week.

 

[inittab]

Did you ever get anywhere with this? I have a single certificate under credentials->certificates and it appears I get this renew warning in my failed tasks once a day and unless I'm blind I'm not seeing where this renewal process is setup or where I can alter how often it tries to renew.

 

[arwasser]

I will hop on this thread since I experience the same problem.

Has anybody found a solution for that?

 

[truecharts]

I will hop on this thread since I experience the same problem.

Has anybody found a solution for that?

As a mater of fact: We did.
For our new releases soon(tm), we'll introduce an alternative certificate solution instead.

 

[arwasser]

That sounds promising. Are you speaking for Truenas or for Truecharts? If the latter is true, are you referring to this https://truecharts.org/news/common-release-schedule?

 

[truecharts]

That sounds promising. Are you speaking for Truenas or for Truecharts? If the latter is true, are you referring to this https://truecharts.org/news/common-release-schedule?

We're a seperate project and have nothing to do with iXsystems, the makers of TrueNAS.

And yes on the later :)