About Failed Validation Limit

Hello,

Please let me know about the following article.

All issuance requests are subject to a Failed Validation limit of 5 failures per account, per hostname, per hour. You should receive the following error message from your ACME client when you’ve exceeded the Failed Validation limit:

too many failed authorizations recently: see https://letsencrypt.org/docs/failed-validation-limit/

The ‘authorizations’ that this error refers to are the result of authorization requests, sent by your ACME client, to validate control over a domain name before we can issue or renew a certificate. This error indicates that the multiple requests for validation were sent successfully but all attempts to validate have failed.

Does "Failed Validation" mean that all validations have failed in a single certificate request?

For example, if multiple certificates are requested, does it count as "Failed Validation" if only the DCV validation of one certificate fails?

Also, does "per hostname" mean that all the following domains are considered to be the same?

aaa.mixh.jp
bbb.mixh.jp
ccc.mixh.jp
ddd.mixh.jp
eee.mixh.jp

If only aaa.mixh.jp fails five times in one hour, is it possible that the rate limit is limited even if the other domains are normal?

Please advise.

A certificate request is a separate request than an authorization request. E.g., a certificate requires an authorization, but that could have been validated earlier and a certificate request could fail due to other reasons (e.g. CAA limitations). Thus you cannot compare a certification request with an authorization with regard to this rate limit.

But yes, if one certification request fails due to a failed authorization, then that failed authorization would count for the failed authorization rate limit, regardless of the status of the other certificates.

No, those have the same domain, but are distinct hostnames.

If aaa.mixh.jp fails too often, it should be possible to request an authorization for the other hostnames.

5 Likes

Hello,

Thank you for your answers.

Am I right in thinking that rate limiting is done on authorization requests rather than certificate requests?
In other words, does this mean that the DCV count will be limited if the rate limit is hit?

For example, if a single certification request contains the following set of domains, and only one of the hostnames (aaa.mixh.jp) fails DCV, does the failure count increase?

-Set of domains
aaa.mixh.jp
bbb.mixh.jp
ccc.mixh.jp
ddd.mixh.jp
eee.mixh.jp

1 Like

Correct with regard to the "failed authorizations" rate limit. Certificate requests ("orders") have their own rate limit. See the "New Orders" rate limit at Rate Limits - Let's Encrypt.

Yes, but only for the failed hostname, not the other hostnames.

6 Likes

Hello,

Thanks for the clear answers.
I have an additional question.

All issuance requests are subject to a Failed Validation limit of 5 failures per account, per hostname, per hour.

Please let me know the reference to 'per account' in the above statement.

Does this refer to the number of failed account authorisation attempts on an account in one Let's Encrypt account?
Or is it the cumulative number of all DCV errors requested on one Let's Encrypt account?

No; That would be an easy way for someone to create a DoS on any known account.

That sounds better.
You first have to be able to use the account before you can use it incorrectly [and be counted and rate limited].

3 Likes

Hello,

Thank you for your answers.

Does this mean that DCV is restricted on an account-by-account basis if, for example, the following attempts are made within an hour?

aaa.mixh.jp -> DCV Success
bbb.mixh.jp -> DCV Fail
ccc.mixh.jp -> DCV Fail
ddd.mixh.jp -> DCV Fail
eee.mixh.jp -> DCV Fail
fff.mixh.jp -> DCV Fail
ggg.mixh.jp -> DCV Success
hhh.mixh.jp -> DCV Success

Failed Validation Limit - Let's Encrypt

This error indicates that the multiple requests for validation were sent successfully but all attempts to validate have failed.

Or is this not restricted because not all attempts have failed on the account?

No, because the rule is "5 failures per account, per hostname, per hour".

This is 5 failures on that account, but only 1 failure on each hostname.

The purpose of this limit is not to penalize you for having a very large number of web sites and being unlucky with random failures! It's mainly in place to prevent people from retrying the same request when it fails repeatedly.

The most commonly-encountered Let's Encrypt rate limits both tend toward this general goal: If you get a failure, please investigate why that failure happened and try to fix it before trying that same thing again, instead of making the same kind of request many times in a row.

6 Likes

Hello,

Thanks for the clear answers.
I was concerned about this limitation, but I am relieved to hear that it will not cause any problems.

3 Likes