ACME2 and hanging newauthz.. Possible?

  • We’ve just upgraded to ACME2 (latest certbot)
  • We’ve been stung bad by “hanging newauthz” rate limit in the past. 7 days unable to issue!
  • We’re about to ramp up our retry logic during failed generate/renew in order to tackle intermittent failures in network between LE and various nameservers.

The question: Are we still at risk of hitting these “hanging newauthz” issues now that we’ve upgraded to latest certbot and ACME2. I have seen it implied that upgrading to certbot solves this risk, but I need strong confirmation in order to make this decision and solve our issues with more retries.

If our only risk is the 1-hour rate limit when hitting multiple failures, we have no worries. Hitting that 7 day rate limit from pending authz puts us dead in the water.

For the LE staff worried we’re about to smash against your server…
Current Retry strategy: once per day
Potential New Retry Strategy: Gradual backoff, somewhat similar to described in your integration guide

I guess this is the rate limit I’m most concerned about:

For users of the ACME v2 API you can create a maximum of 300 New Orders per account per 3 hours. A new order is created each time you request a certificate from the Boulder CA, meaning that one new order is produced in each certificate request.

Certbot 0.31.0 is cleaning up “new orders” behind itself, right? As long as certbot is functioning correctly, this should be an impossible limit?

Is my question unclear? Is there anything I can do to help folks understand and answer?

I’m realizing that the original “pending authz” problem that we’re paranoid of, and hoping to avoid with certbot 0.31, may have been a bug in that old version of certbot and had nothing to do with ACME1. Perhaps my question is simply whether certbot 0.31 reliably closes New Orders so that we can retry and fail ad infinitum?

Hi @lancedolan

yes.

No. New order -> valid, failed, pending.

So you can create 100 certificates per hour * 24 * 60 = 144.000 certificates in 60 days with one account and without an own rate limit.

If you have a lot of domains, you may hit that limit.

Pending authorizations should never happen. If you create a new order, then you should create the dns entry / file / alpn-certificate and send a request to the challenge url. Then the result is checked -> the order is valid or invalid.

So a client should create an order, create the challenge, say: “Hey, check it”, then follows the CSR, then the certificate download -> job done, next domain.

A client should not create 100 orders, then the challenges … If there is an error, then you have a lot of pending authorizations.

The Pending Authorizations and New Orders limits are different.

As far as I understand it, the New Orders limit applies regardless of the success or failure of each order.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.