docker nginx-proxy requests let's encrypt certificates hit rate limit

Question

I use nginx-proxy from jwilder and observe that the same letsencrypt certificates are repeatedly recreated. I am in the processed of debugging the servers and my guess is that if I start only a subset of the servers, the certificate for the ones not started are lost. When these are started later, the certificates are recreated with requests to letsencrypt. eventually I hit the rate limit. -- Another explanation could be that the cause may be that I removed and re-started the relevant container which keeps the certificates?

ACME server returned an error: urn:ietf:params:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new order :: too many certificates already issued for exact set of domains: caldav.gerastree.at: see https://letsencrypt.org/docs/rate-limits/.

The limit is 5 per week.

What can be done to "reuse" certificates and not have new ones requested? When are certificates removed?

The docker-compse.yml file is from traskit, which is a multi-architecture version of jwilder:

version: '2'
services:
    frontproxy:
        image: traskit/nginx-proxy
        container_name: frontproxy
        labels:
            - "com.github.jrcs.letsencrypt_nginx_proxy_companion.docker_gen"
        restart: always
        environment:
            DEFAULT_HOST: default.vhost
            HSTS: "off"
        ports:
            - "80:80"
            - "443:443"
        volumes:
#            - /home/frank/Data/htpasswd:/etc/nginx/htpasswd
            - /var/run/docker.sock:/tmp/docker.sock:ro
            - "certs-volume:/etc/nginx/certs:ro"
            - "/etc/nginx/vhost.d"
            - "/usr/share/nginx/html"
    nginx-letsencrypt-companion:
        restart: always
        image: jrcs/letsencrypt-nginx-proxy-companion
        volumes:
            - "certs-volume:/etc/nginx/certs"
            - "/var/run/docker.sock:/var/run/docker.sock:ro"
        volumes_from:
            - "frontproxy"
volumes:
 

certs-volume:

Answer 1

Have the same issue, issuing certs within docker container when container starts. Seems like there is no way to resolve it. You can use stage server - but certs will not be authorized by CA.

So, yea, if its an option for you - you could have certbot running on host, and pass certs inside container.

Answer 2

For anyone finding this in the future: LE say that there's no way to clear the status of your domain-set once you've hit the rate-limit until the 7 day "sliding window" has elapsed, regardless of how you spell or arrange the domains in the certbot command.

However, if like me, you have a spare domain kicking around that you haven't yet added to the cert, add that to another -d flag and re-run the command. This worked for me.