I am getting Too many certificates (5) already issued for this exact set of domains in the last 168 hours

[patolax]

I am getting this error on Azure

"Fail to load resource from 'https://acme-v02.api.letsencrypt.org/acme/new-order'. urn:ietf:params:acme:error:rateLimited: Error creating new order :: too many certificates (5) already issued for this exact set of domains in the last 168 hours:"

Based on this discussion Certes package has to be updated
https://community.letsencrypt.org/t/getting-error-when-trying-to-get-a-new-certificate/213226/26

Can not find issuer 'C=US,O=Internet Security Research Group,CN=ISRG Root X1' for certificate 'C=US,O=Let's Encrypt,CN=R3'.

Any idea what we should do here?

[patolax]

@ffMathy please let us know if this will be fixed anytime soon. My production env is down at the moment. We have to find some other solution if this is not going to be fixed. Thanks.

[ffMathy]

Hi! A PR is welcome where the NuGet package is updated.

[patolax]

I tried, but with and without Nuget update in both cases, this test case is failing.

[ffMathy]

I'm sorry, I just don't have much time at the moment. Is it possible for you to switch to LettuceEncrypt?

If your servers are down, can you trigger the renewal process manually?

[patolax]

I have updated the code here and fixed the unit tests. Not sure if I fixed the issue or did something sub optimal.

I don't have access to this repo, so changes are there in my repo

https://github.com/patolax/EncryptWeMust

only a few changes, 2 project files, and minor changes to
FluffySpoon.AspNet.EncryptWeMust-master\FluffySpoon.AspNet.EncryptWeMust\src\FluffySpoon.AspNet.EncryptWeMust\Certes\LetsEncryptClient.cs

[patolax]

@ffMathy I can confirm that after my updates certificate renewal is now working. I had to compile my version of the lib and refer to that to test in the production environment.

It would be great if you could release a new version after these two line changes or allow me to create a PR. Thank you!

[ffMathy]

Make a PR, then I will get it merged immediately 😄

Everybody can create PRs for any repo on GitHub. Just go to your own fork, and click "create pull request".

[ffMathy]

Oh, you recloned the repo and republished it. Please use the official GitHub forking feature. Then a PR can be created more easily.

[patolax]

Thanks. Here it is.

#231

BTW, there is another thing related to staging I think.

https://community.letsencrypt.org/t/can-not-find-issuer-c-us-o-staging-internet-security-research-group-cn-staging-doctored-durian-root-ca-x3-for-certificate-c-us-o-staging-internet-security-research-group-cn-staging-pretend-pear-x1/147613/10

But I don't know where I can find Issuers. This is what I was able to find in LettuceEncrypt.

 var pfxBuilder = _pfxBuilderFactory.FromChain(certificateChain, certKey);

 _logger.LogDebug(
     "Adding {IssuerCount} additional issuers to certes before building pfx certificate file",
     _options.Value.AdditionalIssuers.Length + _certificateAuthority.IssuerCertificates.Length);

 foreach (var issuer in _options.Value.AdditionalIssuers.Concat(_certificateAuthority.IssuerCertificates))
 {
     pfxBuilder.AddIssuer(Encoding.UTF8.GetBytes(issuer));
 }

[ffMathy]

I merged it, but then I spotted that you are now omitting a PreferredChain option, so I reverted it again. Can you elaborate on this?

[patolax]

test cases failed if you don't remove it

Code from LettuceEncrypt
return await order.Generate(csrInfo, privateKey);

change from my PR
await order.Generate(_options.CertificateSigningRequest, keyPair);

[ffMathy]

What happens if you instead set PreferredChain to "ISRG Root X2" instead of the default "ISRG Root X1"?

I don't think we should remove the PreferredChain call. Or at least we should remove the property from the LetsEncryptOptions object too.

[patolax]

Sorry I am not an expert, I only tried to fix the tests. But here are some related links

https://community.letsencrypt.org/t/certes-acmeexception-can-not-find-issuer-c-us-o-internet-security-research-group-cn-isrg-root-x1-for-certificate-c-us-o-lets-encrypt-cn-r3/213617/2

https://community.letsencrypt.org/t/can-not-find-issuer-c-us-o-internet-security-research-group-cn-isrg-root-x1-for-certificate-c-us-o-lets-encrypt-cn-r3/214644/5

[patolax]

@ffMathy the following change still fails tests. It only passes if I remove the parameter as I have done in my PR.

public string PreferredChain { get; set; } = "ISRG Root X2";

[ffMathy]

Alright. If you remove the property from the setting object too, then I'll merge it. Thanks.

[patolax]

Done

[patolax]

#249

[patolax]

@ffMathy has the new package been released? I could not find it from Nuget.

[ffMathy]

I have finally fixed the issue causing this to not be released. It should be out soon.

[patolax]

@ffMathy do not see the new package now. My production server is still using the 1.171.0 and failing. The certificate is about to expire in a week. Is it possible to release this anytime soon? thanks a lot.