Default renewal settings lead to "too many certificates already issued" #22

New Issue

Closed

opened 2020-05-12 19:57:32 +00:00 by Ghost · 6 comments

Ghost commented 2020-05-12 19:57:32 +00:00

Copy Link

I'm running into an issue with the 90 min renewal which results in recurring errors:

Error cert_renewal:
[acme-v2.js] authorizations were not fetched for 'my.domain.com':
{"type":"urn:ietf:params:acme:error:rateLimited","detail":
"Error creating new order :: too many certificates already issued for exact set of domains:\
my.domain.com: see https://letsencrypt.org/docs/rate-limits/","status":429,"_identifiers":
[{"type":"dns","value":"my.domain.com"}]}

When I used npx greenlock add --subject my.domain.com --altnames my.domain.com, the following was auto-populated in my greenlock.d/config.json:

"sites": [
  {
    "subject": "my.domain.com",
    "altnames": [
      "my.domain.comm"
    ],
    "renewAt": 1
  }
]

After some debudding, I noticed this check for renewAt in @root/greenlock/certificates.js:312:

C._renewableAt = function(gnlck, mconf, args, pems) {
    if (args.renewAt) {
        return args.renewAt;
    }

The problem is that renewAt is always 1. Even if I remove "renewAt": 1 line from config.json, greenlock still defaults to 1 and the manager overwrites the file to update it back to 1. As a result, this line @root/greenlock/certificates.js:61:

if (!C._isStale(gnlck, mconf, args, pems)) {

seems to always evaluate to false because of this comparison in C._isStale in @root/greenlock/certificates.js:263:

if (Date.now() >= renewAt) {
    return true;
}

So C._isStale always returns true, even if the cert is brand new! (On a side note, doesn't this render _renewOffset checks useless since the code is never reached?)

Is there any way to bypass this renewAt fuss? I'd much rather let C._renewableAt continue the flow and do the proper check against pems.expiresAt + renewOffset.

Thanks!

I'm running into an issue with the 90 min renewal which results in recurring errors: ```sh Error cert_renewal: [acme-v2.js] authorizations were not fetched for 'my.domain.com': {"type":"urn:ietf:params:acme:error:rateLimited","detail": "Error creating new order :: too many certificates already issued for exact set of domains:\ my.domain.com: see https://letsencrypt.org/docs/rate-limits/","status":429,"_identifiers": [{"type":"dns","value":"my.domain.com"}]} ``` When I used `npx greenlock add --subject my.domain.com --altnames my.domain.com`, the following was auto-populated in my `greenlock.d/config.json`: ```json "sites": [ { "subject": "my.domain.com", "altnames": [ "my.domain.comm" ], "renewAt": 1 } ] ``` After some debudding, I noticed this check for `renewAt` in `@root/greenlock/certificates.js:312`: ```js C._renewableAt = function(gnlck, mconf, args, pems) { if (args.renewAt) { return args.renewAt; } ``` The problem is that `renewAt` is **always** `1`. Even if I remove `"renewAt": 1` line from `config.json`, greenlock still defaults to `1` and the manager overwrites the file to update it back to `1`. As a result, this line `@root/greenlock/certificates.js:61`: ```js if (!C._isStale(gnlck, mconf, args, pems)) { ``` seems to always evaluate to `false` because of this comparison in `C._isStale` in `@root/greenlock/certificates.js:263`: ```js if (Date.now() >= renewAt) { return true; } ``` So `C._isStale` **always** returns `true`, even if the cert is brand new! (On a side note, doesn't this render `_renewOffset` checks useless since the code is never reached?) Is there any way to bypass this `renewAt` fuss? I'd much rather let `C._renewableAt` continue the flow and do the proper check against `pems.expiresAt + renewOffset`. Thanks!

coolaj86 commented 2020-05-12 21:28:10 +00:00

Owner

Copy Link

Do you happen to have greenlock.d/config.json on a read-only volume?

Or did you perhaps start the process as the root user and then change to a different user (i.e. www-data or httpd)?

I would suggest that you run:

sudo chown -R $(whoami):$(whoami) greenlock.d/

or perhaps:

sudo chown -R www-data:www-data greenlock.d/

The config.json file is not intended to be edited by hand and its permissions are kept secure, so if you accidentally run an npx command as root, it will lock the permissions to root.

Do you happen to have `greenlock.d/config.json` on a read-only volume? Or did you perhaps start the process as the `root` user and then change to a different user (i.e. `www-data` or `httpd`)? I would suggest that you run: ```bash sudo chown -R $(whoami):$(whoami) greenlock.d/ ``` or perhaps: ```bash sudo chown -R www-data:www-data greenlock.d/ ``` The `config.json` file is not intended to be edited by hand and its permissions are kept secure, so if you accidentally run an `npx` command as `root`, it will lock the permissions to `root`.

Ghost commented 2020-05-13 03:39:50 +00:00

Author

Copy Link

Thanks for your quick reply. I'm running the app in Docker with greenlock-store-fs, and only the certs directory is mapped as a volume to the host. I suppose greenlock.d directory should also be a volume as well? Does Greenlock update renewAt in config.json after it orders a new cert?

Thanks for your quick reply. I'm running the app in Docker with `greenlock-store-fs`, and only the certs directory is mapped as a volume to the host. I suppose `greenlock.d` directory should also be a volume as well? Does Greenlock update `renewAt` in `config.json` after it orders a new cert?

coolaj86 commented 2020-05-13 03:52:07 +00:00

Owner

Copy Link

You're welcome. You just happened to catch me at a good time... twice.

Yep. Yep. Needs to be a writeable, persistent volume.

For most people I recommend using something simple and easy like Digital Ocean, Scaleway, or Vultr rather than complex tools like Docker that really require expert-level knowledge to use correctly - especially for small projects that don't need enterprise-level configuration, etc.

You're welcome. You just happened to catch me at a good time... twice. Yep. Yep. Needs to be a writeable, persistent volume. For most people I recommend using something simple and easy like Digital Ocean, Scaleway, or Vultr rather than complex tools like Docker that really require expert-level knowledge to use correctly - especially for small projects that don't need enterprise-level configuration, etc.

Ghost commented 2020-05-13 03:57:48 +00:00

Author

Copy Link

Got it, adding greenlock.d as a volume then; will test again after they "unban" the domain. I guess this was an oversight on my part; that said, would be great to mention this in the readme (i.e. must have a volume for both the certs and the config if using Docker). Thanks so much for your help!

Got it, adding `greenlock.d` as a volume then; will test again after they "unban" the domain. I guess this was an oversight on my part; that said, would be great to mention this in the readme (i.e. must have a volume for both the certs and the config if using Docker). Thanks so much for your help!

👍 1

Ghost closed this issue 2020-05-13 03:58:03 +00:00

coolaj86 commented 2020-05-13 04:03:10 +00:00

Owner

Copy Link

I'm re-opening this just as a test to see if notifications come through with the new SMTP settings (which was why I was on just now).

I'm re-opening this just as a test to see if notifications come through with the new SMTP settings (which was why I was on just now).

coolaj86 reopened this issue 2020-05-13 04:03:10 +00:00

coolaj86 commented 2020-05-13 04:03:36 +00:00

Owner

Copy Link

closing again, hoping to see an email come through to myself with notification

closing again, hoping to see an email come through to myself with notification

coolaj86 closed this issue 2020-05-13 04:03:36 +00:00

Ghost referenced this issue 2020-10-15 07:14:49 +00:00

Repeated 'Too many certificates already issued for exact set of domains' error #33

Ghost referenced this issue 2020-10-15 07:18:23 +00:00

Repeated 'Too many certificates already issued for exact set of domains' error #34

Ghost referenced this issue from root/greenlock-express.js 2020-10-15 08:18:47 +00:00

Repeated 'Too many certificates already issued for exact set of domains' error #67

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

master

fix-v2-bump-deps

v2

github

next

v4

npm

v3

wip

dns-challenge-regression-fix

v2.4

v2.5

v2.3

v2.2

acmev2

v2.1

greenlock

v1

node-letsencrypt-python

v2.8.9

v4.0.5

v4.0.4

v4.0.3

v4.0.2

v4.0.1

v4.0.0

v3.1.5

v3.1.4

v3.1.3

v3.0.25

v3.0.24

v3.0.23

v3.0.21

v3.0.20

v3.0.19

v3.0.18

v3.0.17

v3.0.16

v3.0.15

v3.0.12

v3.0.11

v3.0.10

v3.0.9

v3.0.7

v3.0.6

v3.0.5

v3.0.4

v3.0.3

v3.0.2

v3.0.1

v2.8.8

v2.8.7

v2.8.6

v2.8.5

v2.8.4

v2.8.3

v2.8.2

v2.8.1

v2.8.0

v2.7.23

v2.7.22

v2.7.21

v2.7.20

v2.7.19

v2.7.18

v2.7.17

v2.7.16

v2.7.15

v2.7.14

v2.7.13

v2.7.12

v2.7.11

v2.7.10

v2.7.9

v2.7.8

v2.7.7

v2.7.6

v2.7.5

v2.7.4

v2.7.3

v2.7.2

v2.7.1

v2.7.0

v2.6.10

v2.6.9

v2.6.8

v2.6.7

v2.6.6

v2.6.5

v2.6.4

v2.6.3

v2.6.2

v2.6.1

v2.6.0

v2.5.0

v2.4.10

v2.4.9

v2.4.8

v2.4.7

v2.4.2

v2.4.1

v2.4.0

v2.3.13

v2.3.12

v2.3.11

v2.3.10

v2.3.9

v2.3.8

v2.3.7

v2.3.6

v2.3.5

v2.3.4

v2.3.3

v2.3.2

v2.3.1

v2.3.0

v2.2.20

v2.2.19

v2.2.17

v2.2.18

v2.2.16

v2.2.15

v2.2.14

v2.2.13

v2.2.12

v2.2.11

v2.2.10

v2.2.8

v2.2.7

v2.2.6

v2.2.5

v2.2.4

v2.2.3

v2.2.2

v2.2.0

v2.1.19

v2.1.18

v2.1.17

v2.1.16

v2.1.15

v2.1.14

v2.1.13

v2.1.12

v2.1.11

v2.1.10

v2.1.9

v2.1.7

v2.1.6

v2.1.5

v2.1.4

v2.1.3

v2.1.2

v2.1.1

v2.1.0

v1.5.8

v2.0.5

v2.0.4

v1.5.7

v1.5.6

v1.5.5

v2.0.3

v2.0.2

v2.0.1

v2.0.0

v1.5.4

v1.5.3

v1.5.2

v1.5.1

v1.5.0

v1.4.4

v1.4.3

v1.4.2

v1.4.1

v1.4.0

v1.3.0

v1.2.0

v1.1.0

v1.0.2

v1.0.0

v1.0.1

Labels

No items

No Label

Milestone

No items

No Milestone

Assignees

Clear assignees

coolaj86

No Assignees

2 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: root/greenlock.js#22

No description provided.