Acme: error: 429 (Caddy Server + Cloudflare)

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
entrl.com

I ran this command:

docker-compose logs proxy

(my container is called proxy and I use caddyserver as a reverse proxy for my services)

It produced this output:

Attaching to latest_proxy_1
proxy_1 | 2019/08/25 13:49:09 [INFO][cache:0xc00018ea50] Started certificate maintenance routine
proxy_1 | Activating privacy features… 2019/08/25 13:49:10 [INFO][entrl.com] Obtain certificate
proxy_1 | 2019/08/25 13:49:10 [INFO] [entrl.com] acme: Obtaining bundled SAN certificate
proxy_1 | 2019/08/25 13:49:10 [ERROR][entrl.com] failed to obtain certificate: acme: error: 429 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rateLimited :: Error creating new order :: too many certificates already issued for exact set of domains: entrl.com: see https://letsencrypt.org/docs/rate-limits/, url: (attempt 1/3; challenge=dns-01)
proxy_1 | 2019/08/25 13:49:11 [INFO] [entrl.com] acme: Obtaining bundled SAN certificate
proxy_1 | 2019/08/25 13:49:12 [ERROR][entrl.com] failed to obtain certificate: acme: error: 429 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rateLimited :: Error creating new order :: too many certificates already issued for exact set of domains: entrl.com: see https://letsencrypt.org/docs/rate-limits/, url: (attempt 2/3; challenge=dns-01)
proxy_1 | 2019/08/25 13:49:13 [INFO] [entrl.com] acme: Obtaining bundled SAN certificate
proxy_1 | 2019/08/25 13:49:18 [ERROR][entrl.com] failed to obtain certificate: acme: error: 429 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rateLimited :: Error creating new order :: too many certificates already issued for exact set of domains: entrl.com: see https://letsencrypt.org/docs/rate-limits/, url: (attempt 3/3; challenge=dns-01)
proxy_1 | 2019/08/25 13:49:19 failed to obtain certificate: acme: error: 429 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rateLimited :: Error creating new order :: too many certificates already issued for exact set of domains: entrl.com: see https://letsencrypt.org/docs/rate-limits/, url:
proxy_1 | exit status 1
proxy_1 | Activating privacy features… 2019/08/25 13:49:20 [INFO][cache:0xc00018aa50] Started certificate maintenance routine
proxy_1 | 2019/08/25 13:49:21 [INFO][entrl.com] Obtain certificate
proxy_1 | 2019/08/25 13:49:21 [INFO] [entrl.com] acme: Obtaining bundled SAN certificate
proxy_1 | 2019/08/25 13:49:21 [ERROR][entrl.com] failed to obtain certificate: acme: error: 429 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rateLimited :: Error creating new order :: too many certificates already issued for exact set of domains: entrl.com: see https://letsencrypt.org/docs/rate-limits/, url: (attempt 1/3; challenge=dns-01)
proxy_1 | 2019/08/25 13:49:22 [INFO] [entrl.com] acme: Obtaining bundled SAN certificate
proxy_1 | 2019/08/25 13:49:23 [ERROR][entrl.com] failed to obtain certificate: acme: error: 429 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rateLimited :: Error creating new order :: too many certificates already issued for exact set of domains: entrl.com: see https://letsencrypt.org/docs/rate-limits/, url: (attempt 2/3; challenge=dns-01)
proxy_1 | 2019/08/25 13:49:24 [INFO] [entrl.com] acme: Obtaining bundled SAN certificate

My web server is (include version):
https://hub.docker.com/r/abiosoft/caddy/ latest tag

The operating system my web server runs on is (include version):
Ubuntu 18.04 LTS

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
I use latest version of https://github.com/abiosoft/caddy-docker

Good day everyone!
First of all I would like to say that I have read a lot of articles about this situation before writing this post.

I understand that I have reached the rate limit for one domain as I have done 5 duplicated ssl certificates: https://check-your-website.server-daten.de/?q=entrl.com

I think the problem is that I have removed all volumes several times while testing my docker services. That’s why caddyserver can’t find my certificates and tries to create new.

I use cloudflare dns in my caddy file and I can’t understand why caddyserver tries to create sll certificates as I want to use CloudFlare universal SSL for my domain and subdomains:

entrl.com {
  log stdout
  errors stderr

  header / {
    Referrer-Policy "same-origin"
    Strict-Transport-Security "max-age=15768000;"
    X-Content-Type-Options "nosniff"
    X-Frame-Options "DENY"
    X-XSS-Protection "1; mode=block"
    -Server
  }

  gzip
  tls {
    dns cloudflare
  }

  proxy / front-main:80 {
    transparent
  }

  proxy /api/ back-search:9000 {
    transparent
    without /api/
  }
}

My docker-compose.yml file (only a part with proxy container):

proxy:
  image: ${REGISTRY_BASE_URL}/proxy:${TAG}
  restart: always
  ports:
    - 80:80
    - 443:443
  volumes:
    - "$HOME/.caddy:/etc/caddycerts"
  environment:
    CADDYPATH: "/etc/caddycerts"
    CLOUDFLARE_EMAIL: ${CLOUDFLARE_EMAIL}
    CLOUDFLARE_API_KEY: ${CLOUDFLARE_API_KEY}
    ACME_AGREE: "true"

Right now I can’t use my services as I can’t start my reverse proxy container.
I have many subdomains and I want to use secure connection beetwen CloudFlare and my Reverse Proxy.
I really hope for your help. What should I do in my situation?

1 Like

Should I just wait for seven days?

Hi @Klimbo

perhaps. Now the domain is offline, so it doesn't look like an active and productive domain. So you can use the test system.

I have no idea if that caddy works with the cloudflare integrated solution. Perhaps you use the Cloudflare dns to create a Letsencrypt certificate (via dns-validation), not Cloudflare universal SSL.

General: If you use docker, save the account key and the certificates outside of your container. So you can reuse these.

And you can create a new certificate if you add a second domain name.

You have hitted some limits ( https://check-your-website.server-daten.de/?q=entrl.com#ct-logs ):

Issuer not before not after Domain names LE-Duplicate next LE
Let's Encrypt Authority X3 2019-08-24 2019-11-22 storage.entrl.com - 1 entries duplicate nr. 5 next Letsencrypt certificate: 2019-08-30 10:22:05
Let's Encrypt Authority X3 2019-08-24 2019-11-22 users.entrl.com - 1 entries duplicate nr. 5 next Letsencrypt certificate: 2019-08-30 10:20:57
Let's Encrypt Authority X3 2019-08-24 2019-11-22 courses.entrl.com - 1 entries duplicate nr. 5 next Letsencrypt certificate: 2019-08-30 10:20:22
Let's Encrypt Authority X3 2019-08-24 2019-11-22 passport.entrl.com - 1 entries duplicate nr. 5 next Letsencrypt certificate: 2019-08-30 10:19:58
Let's Encrypt Authority X3 2019-08-24 2019-11-22 webhooks.entrl.com - 1 entries duplicate nr. 5 next Letsencrypt certificate: 2019-08-30 10:19:47
Let's Encrypt Authority X3 2019-08-24 2019-11-22 entrl.com - 1 entries duplicate nr. 5 next Letsencrypt certificate: 2019-08-30 10:19:33

But you can create one certificate with two or all 6 domain names.

There are 30 certificates / last seven days. So max. 50 / main domain / week are possible.

1 Like

Thank you for quick response.

My domain is offline because I have stopped all my server (just to be sure that my docker container won’t try to create certificates for these 7 days)

I have set up a volume outside the container so I hope it will work.
And you are right that it is only possible to create a Letsencrypt certificate (via dns-validation), not Cloudflare universal SSL

And again thank you for your response, good luck!

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.