4

I use nginx-proxy from jwilder and observe that the same letsencrypt certificates are repeatedly recreated. I am in the processed of debugging the servers and my guess is that if I start only a subset of the servers, the certificate for the ones not started are lost. When these are started later, the certificates are recreated with requests to letsencrypt. eventually I hit the rate limit. -- Another explanation could be that the cause may be that I removed and re-started the relevant container which keeps the certificates?

ACME server returned an error: urn:ietf:params:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new order :: too many certificates already issued for exact set of domains: caldav.gerastree.at: see https://letsencrypt.org/docs/rate-limits/.

The limit is 5 per week.

What can be done to "reuse" certificates and not have new ones requested? When are certificates removed?

The docker-compse.yml file is from traskit, which is a multi-architecture version of jwilder:

version: '2'
services:
    frontproxy:
        image: traskit/nginx-proxy
        container_name: frontproxy
        labels:
            - "com.github.jrcs.letsencrypt_nginx_proxy_companion.docker_gen"
        restart: always
        environment:
            DEFAULT_HOST: default.vhost
            HSTS: "off"
        ports:
            - "80:80"
            - "443:443"
        volumes:
#            - /home/frank/Data/htpasswd:/etc/nginx/htpasswd
            - /var/run/docker.sock:/tmp/docker.sock:ro
            - "certs-volume:/etc/nginx/certs:ro"
            - "/etc/nginx/vhost.d"
            - "/usr/share/nginx/html"
    nginx-letsencrypt-companion:
        restart: always
        image: jrcs/letsencrypt-nginx-proxy-companion
        volumes:
            - "certs-volume:/etc/nginx/certs"
            - "/var/run/docker.sock:/var/run/docker.sock:ro"
        volumes_from:
            - "frontproxy"
volumes:

certs-volume:

user855443
  • 2,596
  • 3
  • 25
  • 37
  • does this limit your server restarts to 5 a week? else users are hit with a ssl warning? also having this issue – PathToLife Jan 08 '21 at 15:21
  • 2
    https://github.com/nginx-proxy/docker-letsencrypt-nginx-proxy-companion/issues/216 certs-volume seems to be recreated here, so certs are lost – PathToLife Jan 08 '21 at 15:26

2 Answers2

1

For anyone finding this in the future: LE say that there's no way to clear the status of your domain-set once you've hit the rate-limit until the 7 day "sliding window" has elapsed, regardless of how you spell or arrange the domains in the certbot command.

However, if like me, you have a spare domain kicking around that you haven't yet added to the cert, add that to another -d flag and re-run the command. This worked for me.

theruss
  • 1,690
  • 1
  • 12
  • 18
0

Have the same issue, issuing certs within docker container when container starts. Seems like there is no way to resolve it. You can use stage server - but certs will not be authorized by CA.

So, yea, if its an option for you - you could have certbot running on host, and pass certs inside container.

Cute pumpkin
  • 342
  • 3
  • 17