Solved Let's Encrypt / ACME Client Not Issuing Wildcard Certificate

M

Mr_Bob

Verified User
Joined
Sep 25, 2021
Messages
10
Very strange behavior. Recently during an attempt to auto-renew certificates via Directadmin's client, Let's Encrypt would not issue a wildcard (*.domain.com) certificate and instead Directadmin requested separate certificates for a random set of subdomains. More frustratingly, Directadmin kept re-attempting to have the wildcard cert renewed, unsuccessfully, which then locked me out from being able to request the wildcard domain for a week. For whatever the UI won't let me just request the primary domain and wildcard separately without erasing the previous certs as a way to get around the issue...but that's a different story.

As a temporary workaround I've requested and retrieved certificates for every applicable primary and subdomain, but there's clearly something broken in the background. Domains are all locally hosted. I'd get the following error after Directadmin kept re-attempting to have the primary and wildcard domain issued:

Code: 
Found wildcard domain name and http challenge type, switching to dns-01 validation.
2022/10/15 13:01:10 [INFO] [domain.net, *.domain.net] acme: Obtaining SAN certificate
2022/10/15 13:01:10 Could not obtain certificates:
    acme: error: 429 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rateLimited ::
Error creating new order :: too many certificates (5) already issued for this exact set of domains in the last
168 hours: *.domain.net,domain.net, retry after 2022-10-17T01:19:12Z: see https://letsencrypt.org/docs/duplicate-certificate-limit/
Certificate generation failed.

What I've done thus far:
  • Removed and re-initiated SSL requests.
  • Shut down SSL for the domains in question / re-enabled via terminal in domains config file. Attempted to re-create (no go).
Directadmin also keeps attempting to auto-renew in spite of constantly deleting in the UI and via SSH.

Has this happened to anyone before? Any ideas?
 
Last edited:
Add your server ip into Brute Force Monitor's skip list, then try again, after your request send, restart "named" service, it may help.
(Brute Force Monitor's bug, sometimes... it will blocked your server renew cert)
 
@Dettol that worked for all but one of my domains! I'll have to check on the last domain in about a week; the ACME client kept running for re-certs and that domain hit its Let's Encrypt limit for the week.

If anyone in the future has a rouge cert-retry running in the background, be sure to kill the automatic re-cert for a bit. Otherwise, you'll be stuck until your domain's limits reset. This help article was really useful for troubleshooting the constant retries: https://docs.directadmin.com/webservices/ssl/automatic-ssl-certificates.html
 
You must log in or register to reply here.
Back
Top