ha11oga11o's picture


i need help a bit. I'm trying to do lets cert since last 4 versions of TKL. But it always something fail, so i never did it. Im trying again, and I'm stuck. Here's log from console, so maybe someone can explain to me what it means, can i fix it, etc. Port 80 is forwarded.

Thank you in advance.

Nextcloud v18
OS: Debian GNU/Linux 12 (bookworm) x86_64
Kernel: 6.1.0-18-amd64
Shell: bash 5.2.15

[2024-02-20 09:06:09] dehydrated-wrapper: INFO: started
[2024-02-20 09:06:09] dehydrated-wrapper: WARNING: /etc/cron.daily/confconsole-dehydrated not found; copying default from /usr/share/confconsole/letsencrypt/dehydrated-confconsole.cron
# INFO: Using main config file /etc/dehydrated/confconsole.config
+ Generating account key...
+ Registering account key with ACME server...
+ Fetching account URL...
+ Done!
[2024-02-20 09:06:19] dehydrated-wrapper: INFO: found apache2 listening on port 80
[2024-02-20 09:06:19] dehydrated-wrapper: INFO: stopping apache2
[2024-02-20 09:06:20] dehydrated-wrapper: INFO: running dehydrated
# INFO: Using main config file /etc/dehydrated/confconsole.config
 + Creating chain cache directory /var/lib/dehydrated/chains
Processing domain1.strangled.net with alternative names: dimain2.duia.eu
 + Creating new directory /var/lib/dehydrated/certs/domain1.strangled.net ...
 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting new certificate order from CA...
 + ERROR: An error occurred while sending post-request to https://acme-v02.api.letsencrypt.org/acme/new-order (Status 429)

HTTP/2 429
server: nginx
date: Tue, 20 Feb 2024 09:06:26 GMT
content-type: application/problem+json
content-length: 254
boulder-requester: 1579367947
cache-control: public, max-age=0, no-cache
link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
link: <https://letsencrypt.org/docs/rate-limits>;rel="help"
replay-nonce: 91XKQUlTM4bg4T5k5mRXvbAv7oSStdp0UjgY2CIcBR4xh9Nyjd4
retry-after: 42814

  "type": "urn:ietf:params:acme:error:rateLimited",
  "detail": "Error creating new order :: too many certificates already issued for \"strangled.net\". Retry after 2024-02-20T21:00:00Z: see https://letsencrypt.org/docs/rate-limits/",
  "status": 429

[2024-02-20 09:06:26] dehydrated-wrapper: WARNING: Python is still listening on port 80
[2024-02-20 09:06:26] dehydrated-wrapper: INFO: attempting to kill add-water server
[2024-02-20 09:06:26] dehydrated-wrapper: WARNING: Something went wrong, restoring original cert, key and combined files.
[2024-02-20 09:06:26] dehydrated-wrapper: INFO: (Re)starting apache2
[2024-02-20 09:06:26] dehydrated-wrapper: INFO: (Re)starting webmin.service
[2024-02-20 09:06:31] dehydrated-wrapper: WARNING: Check today's previous log entries for details of error.
Jeremy Davis's picture

Have you configured your DNS so that the domains point to your server? When I check, I'm getting a 404 error (server not found) for both domains.

A good way to double check that your domains are configured correctly (before trying to get a certificate) is via Google's online dig tool. Put your domain in the box and click 'A' or 'CNAME' - depending on which DNS record type you have configured with your DNS provider. If it doesn't return the public IP of your server, then you need to check with your DNS provider.

Regardless, that isn't actually the problem you hit was. The important part of the error message you posted says (edited slightly for readability):

Error creating new order :: too many certificates already issued for "strangled.net".
Retry after 2024-02-20T21:00:00Z: see https://letsencrypt.org/docs/rate-limits/

I suggest you have a careful read of https://letsencrypt.org/docs/rate-limits/ as the message says. Hopefully that will assist you to understand what you are doing wrong.

Good luck!

ha11oga11o's picture



thank you for reply. Both of DNS works fine, i edited then to domain1 and 2 on purpose of this post. I read documentation on link you provided and i understand why i cant use this. It will wait for better days for now.


Many thnx. I wish you all the best :)

Jeremy Davis's picture

You're welcome for the assistance.

i edited then to domain1 and 2 on purpose of this post.

Ah ok. Redacting information you believe to be sensitive, is reasonable . Although in future please explicitly note when you do that. That was not apparent to me. Not having all the relevant information makes it much harder for me to provide relevant advice and feedback and often leads to me wasting time on irrelevant research and investigation of potential issues.

Regarding not posting your domain, FWIW that isn't really a significant issue (although feel free to continue to do that if you want). I note that all publicly available IP addresses (i.e. the whole internet) can be be scanned in literally minutes! And it's likely that happens multiple times every day. Determining the domains linked to IPs does take a bit more work, but it is all publicly available information. So I would argue that in issues such as this, where the domain name(s) being used is potentially immediately relevant, the benefits of providing accurate information regarding a public website outweighs any potential downsides. But you do you.

Regardless, good luck with it! I hope you can get your cert sorted. :)

Add new comment