I've been using this in rancher for many years now without issue so I don't check it too often 😄 but I recently added a new domain to let's encrypt and noticed an odd error in my logs that could have been going on for a while now.

"Error creating new order :: too many certificates already issued for exact set of domains". Looks like I've indeed hit my limit of 5 duplicate certificates for each domain, strange?

Taking a quick peek at the logs in /var/log/letsencrypt I noticed that the following block must be getting triggered based on the output which seems to create certs without checking their expiry.

      elif "X3" not in server_cert_issuer and not STAGING:
          # we have a self-signed certificate we should replace with a prod certificate.
          # this should only happen once on initial rancher install.
          print("INFO: Replacing self-signed certificate: {0}, "
                "{1} with production LE cert".format(server, server_cert_issuer))
          self.create_cert(server)
          self.post_cert(server)

Looking at the output

Replacing self-signed certificate: *******.com, CN=R3,O=Let's Encrypt,C=US 

Looking at https://letsencrypt.org/certificates/ that seems to make sense as X3 is retired and the default is now R3.

I'm guessing hardcoding the issuer here is a bad idea anyways? R4 / E2 are backups and this is subject to change anyways.