Resolved Letsencrypt: Invalid response: Type: urn:acme:error:rateLimited

[Mike99]

We are using Plesk web pro edition, Version 17.8.11 Update #24, I am getting e-mails from Letsencrypt.

'subdomain.example.com'
Invalid response from https://acme-v01.api.letsencrypt.org/acme/new-cert.
Details:
Type: urn:acme:error:rateLimited
Status: 429
Detail: Error creating new cert :: too many certificates already issued for exact set of domains:subdomain.example.com: see Rate Limits - Let's Encrypt - Free SSL/TLS Certificates

I have read:

Unable to install a Let's Encrypt certificate: Too many certificates already issued for exact set of domains

This is not the problem, because I did not create any certificates for this domain this week.

I have read:
Let's Encrypt notification email - Could not secure domains: urn:acme:error:rateLimited

The resolution is to recreate certificate manually without www and webmail, but it does not work because I am rate limited, I have to wait a week.

I did not recently generate any new certs for this domain, it has 4 subdomains and 1 domain cert with www and naked domain. I have spent two days searching Letsencrypt forums, but from what I found, it looks like I or Plesk did something wrong.

How can I solve this issue? I think this should not be normal behavior, how can I prevent this from happening ever again?

 

[Bitpalast]

I think that the symptom could maybe indicate that several renewal attemps on at least one of the subdomains have failed, so that the total number of attemps were exceeded (while the attempts remained unsuccessful). The "Too many..." message normally is only sent if you are trying to create a new certificate for a subdomain for that within a week 20 (or 50?, don't remember) certificate requests have been submitted. Plesk does not automatically do that.

 

[Mike99]

I think that the symptom could maybe indicate that several renewal attemps on at least one of the subdomains have failed, so that the total number of attemps were exceeded (while the attempts remained unsuccessful). The "Too many..." message normally is only sent if you are trying to create a new certificate for a subdomain for that within a week 20 (or 50?, don't remember) certificate requests have been submitted. Plesk does not automatically do that.

Hello Peter,

it worked like charm for months, I did not interfere. Only thing I can think of might have triggered this issue is that I migrated one of the subdomains, specifically staging subdomain to another server. I used Plesk Migration Tool, so it should have been without problems, but I think the Plesk installation on the new server may be using the same certificate or attempts to renew are now double? Both servers run Plesk most recent version 17.8.11 on Ubuntu. I am not sure how to debug this, any tips are very welcome.

 

[Mike99]

As I try to investigate this issue, I found that Plesk must have some problem or bug, on crt.sh | Certificate Search when I query the affected domain, I see that 10 issued certificates for a single subdomain in one day, just today, why would Plesk issue so many certificates for the same domain in one day?

When I run # plesk bin certificate -l -domain subdomain.example.com on affected domain, I get:

CSR Priv Cert CA Name Used
Y Y Y Y Lets Encrypt subdomain.example.com 1

It looks like Plesk is installing the issued certificate, but forgets about it and is generating a new certificate instead, I am now rate-limited, but strange is that both affected domains have actually the new certificate valid until January 16 and they even did not need to be renewed, every day at 16:00 I get error e-mail with Could not secure domains: urn:acme:error:rateLimited and I am not doing anything.

How can I fix this?

 

[Mike99]

Hello for everyone with similar issues, I uninstalled LetsEncrypt extension from Plesk and installed it again, the problem disappeared, this means that during some upgrades of Plesk, because I am running always the latest version, some scripts were probably not updated. Problem solved.