Hit Let's encrypt renewal limit

We tried to update a few times to the latest Discourse but failed and had to restore an older system image.

Now it seems we hit the rate limit of let’s encrypt renewal certificates… as we had have issued 5 different certificates and lost them due to the system restore.

Is there an easy way to switch to another certificate than Let’s encrypt? Without doing system rebuild - as it fails with us. WiIl post a separate topic.

Please help it is urgent as our certificate will expire in 2 days

1 Like

Have a look at this guide if you want to move away from using Let’s Encrypt.

4 Likes

can this be done without rebuild of the discourse app? maybe just replacing the certificate and reloading Nginx?

1 Like

If you stick the certificate where the NGINX inside the container expects it to be (where the zero-length certs are now, you can conceivably just restart the container (or maybe sv restart nginx inside the container, but it might be sv nginx restart I can never quite remember). The supported solution is to use Let’s Encrypt, so you’ll need to look at the docs linked above and/or the configuration of the container as it is to figure that out. (And I had a site that ran up against rate limits last week myself!)

3 Likes

Another way to get around the rate limit is to add another domain or sub-domain. Create a new certificate with your original domains and the new domain or sub-domain. :wink:

5 Likes

This was the final solution Jim! Having multiple domains allowed us to issue the new certificate again!
It also works nicely with discourse as they act like aliases - which is very convenient as well!

@pfaffman reload worked all fine - we just had to issue both certificates for rsa key and ecc key and then install them with acme.sh first

The whole initial problem was caused by not working Ipv6 support in discourse that prevented the let’s encrypt certificates from renewal. We had a AAAA dns record but discourse didn’t reply on the Ipv6 address and certificates failed to renew.

After removing the AAAA record it went all ok.

I do hope discourse will will improve their Ipv6 support - there are many issues reported with let’s encrypt and ipv6 and the only solution is to remove the AAAA record @codinghorror

1 Like

It’d be great if you could create a new topic to debug this. Discourse fully supports IPv6. Meta works over IPv6, as do all our hosted sites. I’ve run multiple self-hosted sites with IPv6 working too. All have working SSL via Let’s Encrypt.

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.