Let's Encrypt "too many certificates already issued" in CI
Let's Encrypt enforces a duplicate-certificate limit: only so many certificates can be issued for the exact same set of domains within a rolling week. In CI this is triggered by pipelines that request a fresh certificate for the same domains on every run instead of reusing the one they already have. The fix is to cache and reuse the certificate, and validate against staging.
What this error means
certbot or the ACME client fails with "too many certificates already issued for exact set of domains" and issuance is blocked for that domain set until the window resets.
There were too many requests of a given type :: Error creating new order ::
too many certificates already issued for exact set of domains:
example.com,www.example.com: see https://letsencrypt.org/docs/rate-limits/Common causes
CI reissues the same certificate every run
A pipeline requests a new certificate for the identical domain set each build, quickly hitting the duplicate-certificate limit.
No caching of issued certificates
Certificates are not persisted between runs, so each job asks Let's Encrypt for a fresh one instead of reusing a valid existing one.
How to fix it
Reuse the existing certificate
- Persist issued certificates (secret, volume, or artifact) between runs.
- Only request issuance when the current certificate is missing or near expiry.
- Use the ACME staging endpoint for any test issuance.
# validate against staging so production limits are not consumed
certbot certonly --dry-run -d example.com -d www.example.comWait for the rolling window to reset
The duplicate-certificate limit is per rolling week. Stop reissuing and use the certificate you already hold until it needs renewal.
How to prevent it
- Cache and reuse certificates instead of reissuing per pipeline run.
- Only renew when close to expiry, not on every build.
- Test issuance against the staging environment.