Let's Encrypt renew doesn't properly detect renew period

The Let's Encrypt renew process is currently trying to request a new cert every 5 minutes. It displays the error "Too many certificates already issued for exact set of domains"

The main issue is that the cert was successfully renewed, but the renew script isn't detecting it. When the cert is inspected in a browser it shows the proper expire date 3 months from now. The "current certificate" tab shows the proper expire date 3 months from now. The "lets encrypt" tab shows the "Time since last renewal" as 2.06 months, which isn't true, as it was successfully installed.

I've solved the immediate issue by changing the renew period to 3 months in order to stop the emails; however, I'd like to know how to manually reset the lets encrypt renew timer so that I can set it back to 2 months.

It may be better to inspect the actual issue date of the cert, instead whatever timer it's currently using. As a side thought, it may be even better to have a "time until expire" instead of the "time since last renewal". Personally, I don't really care how long ago the cert was renewed, but I do care how long until it expires. As of now, one can be inferred from the other, but who knows if Lets Encrypt changes the issue period in the future.

Status: 
Active

Comments

It sounds like the cert renewal is succeeding, but Virtualmin thinks it has failed.

Which version of Virtuamin are you running there? The 5.06 release had a bug that could cause this, but we fixed it in 5.07.

It's version 5.07 and I've confirmed it was running that version when this issue first started. It's only occurred on one domain on this one server (so far).

If you try to renew in the UI, does it succeed or show some error message?

It still displays the error "Too many certificates already issued for exact set of domains". Presumably, this is some timed limit they enforce and will expire at some point, I just don't know when.

It's also worth mentioning that we're not requesting certs for these domains outside of virtualmin, so this limit was likely due to virtualmin trying over and over again to get the certs.

You may want to just wait a few hours and try again, after whatever rate limit Let's Encrypt has applied times out.

I found the rate limit on the let's encrypt website. I'd expect the rate limit to expire in a week, so I'll try again then. "We also have a Duplicate Certificate limit of 5 certificates per week"

Please consider my request to have the letsencrypt auto-request timer be based on the actual cert.

That's a good idea - I never considered the case where the cert renewal actually succeeded, but Virtualmin thought it failed. I will use the actual issue date in the next release.

The rate limit reset and I was able to request a new cert. Everything seems to be working fine. Thanks for the help.