Recovery from - Too many certificates already issued for exact set of domains

[phelgren]

Due to an issue in my implementation, I was successful in ordering a certificate but failed to write the certificate file. In trying to fix the issue I ended up with the error above. I thought I'd be able to catch the AcmeRateLimitedException error and then use getOrders() method on my account to get the order and retrieve the certificate. Unfortunately I discovered that LetsEncrypt doesn't support the getOrders method.

Is there a way to retrieve the certificate? I read through what I thought would be a couple of valid approaches but haven't landed one that works. Suggestions?

[shred]

If you happen to have the location URL of your order or certificate (via Order.getLocation() or Certificate.getLocation()), you can restore your certificate via Login.bindOrder() or Login.bindCertificate().

But you can also cheat Let's Encrypt by temporarily adding a dummy subdomain to your set of domains, and then get a new certificate. 😉

I think it's surprising, and also sad, that getOrders() is not implemented by Let's Encrypt. Especially because it is mandatory in RFC 8555.

[phelgren]

That location would have needed to be saved prior to receiving the AcmeRateLimitedException correct? At this point, without being able to retrieve the order or the certificate object, there isn't a way to recover?

So, if I was trying to get a certificate on www.mydomain.org and now cannot because of the Rate Limit error, how would generating a certificate on a subdomain of test.mydomain.org help me? Or are you suggesting creating an order for www AND test and that would be treated as a new order by LetsEncrypt?

[shred]

Yes, it would have needed to be saved before, along with the successful order or certificate.

And again yes... If you had a certificate for example.org and www.example.org, you could now add test.example.org (so you get a cert for example.org, www.example.org, and test.example.org) to that cert. This would be a new set of domains, and Let's Encrypt would sign that cert for you. Later, after the rate limit is lifted, you can create another cert with the old set of domains, and then delete test.example.org again. It's a bit dirty because of the dummy domain, but it's the fastest way to circumvent the rate limit.

[phelgren]

Thanks! This will be a new test case for me. I have only been testing single domains so far and they now work. Creating a cert for two domains will test the logic on this implementation (java servlet). Really appreciate the pointers.

[shred]

Well, two domains is a common use case IMO, like the domain itself and the www subdomain.

I will close this bug. If you need further help, feel free to reopen it.