Issue: Renewal and Letsencrypt Ratelimit

[Powie]

If I have more than 5 certificates for a domain registered (subdomains....) , the monthly renewal will renew only the first 5 certificates of this domain, in case of the LetsEncrypt Rate Limit. Sbdomains 6 - 7 - .... will not be renewed.

https://community.letsencrypt.org/t/rate-limits-for-lets-encrypt/6769

[chreds]

https://community.letsencrypt.org/t/rate-limits-for-lets-encrypt/6769/2

Rate limits have been increased now to 20. If more domains than that perhaps this plugin could stagger the renews across multiple weeks? Having said that-- I don't need that, 20 is more than enough for me.

[mcdado]

From the community forum, word is that this plugin is requesting new certs instead of renewing current certs. In fact sometimes my automatic renewals failed with the following error (NB Error creating new cert):

"type":"urn:acme:error:rateLimited","detail":"Error creating new cert :: Too many certificates already issued for: ovh.net","status":429} error.

See: https://community.letsencrypt.org/t/rate-limited-domain/15173/6

By changing that behavior, the issue of rate limits on automatic renewals would go away.

[DarkSteve]

@chreds Rate limits only apply to new certificates, not renewals - that's part of the plugin's problem!

"Added an exception to this limit for renewing certificates (issuing a new certificate with same names as a previous one)."

[xgin]

The extension now performs a daily check for certificates which are about to expire and renews them not earlier than 30 days before their expiration.
Let me know if have more suggestions how to improve it.

[DanielRuf]

@xgin quick question. In the 2.x plugin it was fixed as it seems.

I had a setup with a 1.9.x version and it seems it checked a domain every day and file cert requests in the same interval (according to crt.sh).

And this may ne the cause where we got

Invalid response from https://acme-v01.api.letsencrypt.org/acme/new-cert: Error creating new cert :: too many certificates already issued for exact set of domains: example.com,www.example.com.
Type: urn:acme:error:rateLimited.

But the certificate files were not updated or created so we ended with an expired cert which locked users out as we use HSTS. Is this fixed or a separate issue? Do you have any ideas where these unused certs could be (they are not in live or archive)?

[oliver-graetz]

I am experiencing rate limit problems in connection with issue #194. The server is trying to renew the certificate every hour (as I can see on crt.sh, where it lists hourly renewals followed by pauses that are obviously caused by the rate limit. Is there any way I can stop these renewal attempts just for that domain?

[DanielRuf]

@oliver-graetz which version of the Plesk LetsEncrypt plugin is installed?

[oliver-graetz]

I mentioned that in my comment on issue #194: v2.5.3-354

[oliver-graetz]

The problem persists. For one of our domains, there is a renewal attempt for the certificate every hour and I cannot find a way to stop it. How does the extension check if a certificate is due for renewal? Or can I flush some list of tasks? The whole task of debugging this is quite futile without the extension source code.