All renewals failing with response code 429

Help
1

The last couple of times I've gone to renew my certificates I haven't been able to. 2 months ago after fighting with it a bunch it finally renewed. but now they're coming due again, and I'm having the same issue.

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: cerberus.ca

I ran this command: certbot renew

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/cerberus.ca.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Renewing an existing certificate for *.cerberus.ca and cerberus.ca
Failed to renew certificate cerberus.ca with error: Unable to determine zone_id for cerberus.ca using zone names: ['cerberus.ca', 'ca']. The error from Cloudflare was: 429 HTTP response code 429.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/cerberus.ca/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version):
N/A

The operating system my web server runs on is (include version):
Ubuntu 22.04.5 LTS

My hosting provider, if applicable, is:
FranTech / BuyVM

I can login to a root shell on my machine (yes or no, or I don't know):
Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot is version 5.0.0 and certbot-dns-cloudflare is version 5.0.0

certbot is being run from cron:
0 */12 * * * root test -x /usr/bin/certbot -a ! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew

Logs:

2025-11-30 22:03:40,779:DEBUG:certbot._internal.main:certbot version: 5.0.0
2025-11-30 22:03:40,779:DEBUG:certbot._internal.main:Location of certbot entry point: /usr/local/bin/certbot
2025-11-30 22:03:40,779:DEBUG:certbot._internal.main:Arguments: ['-v']
2025-11-30 22:03:40,779:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#dns-cloudflare,PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2025-11-30 22:03:40,785:DEBUG:certbot._internal.log:Root logging level set at 20
2025-11-30 22:03:40,786:DEBUG:certbot._internal.display.obj:Notifying user: Processing /etc/letsencrypt/renewal/cerberus.ca.conf
2025-11-30 22:03:40,787:DEBUG:certbot._internal.plugins.selection:Requested authenticator None and installer None
2025-11-30 22:03:40,794:DEBUG:certbot._internal.renewal:Skipped ACME Renewal Info check because ari_retry_after 2025-12-01T03:14:54 is in the future
2025-11-30 22:03:40,795:INFO:certbot.ocsp:Cannot extract OCSP URI from /etc/letsencrypt/archive/cerberus.ca/cert39.pem
2025-11-30 22:03:40,796:INFO:certbot._internal.renewal:Certificate is due for renewal, auto-renewing...
2025-11-30 22:03:40,796:DEBUG:certbot._internal.plugins.selection:Requested authenticator dns-cloudflare and installer None
2025-11-30 22:03:40,796:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * dns-cloudflare
Description: Obtain certificates using a DNS TXT record (if you are using Cloudflare for DNS).
Interfaces: Authenticator, Plugin
Entry point: EntryPoint(name='dns-cloudflare', value='certbot_dns_cloudflare._internal.dns_cloudflare:Authenticator', group='certbot.plugins')
Initialized: <certbot_dns_cloudflare._internal.dns_cloudflare.Authenticator object at 0x7f45aef134c0>
Prep: True
2025-11-30 22:03:40,796:DEBUG:certbot._internal.plugins.selection:Selected authenticator <certbot_dns_cloudflare._internal.dns_cloudflare.Authenticator object at 0x7f45aef134c0> and installer None
2025-11-30 22:03:40,796:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator dns-cloudflare, Installer None
2025-11-30 22:03:40,831:DEBUG:certbot._internal.main:Picked account: <Account(RegistrationResource(body=Registration(key=None, contact=(), agreement=None, status=None, terms_of_service_agreed=None, only_return_existing=None, external_account_binding=None), uri='https://acme-v02.api.letsencrypt.org/acme/acct/50934880', new_authzr_uri=None, terms_of_service=None), 867ecd846477c913b376c092523d5d8a, Meta(creation_dt=datetime.datetime(2019, 2, 5, 19, 21, 46, tzinfo=datetime.timezone.utc), creation_host='hermes.cerberus.ca', register_to_eff=None))>
2025-11-30 22:03:40,832:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2025-11-30 22:03:40,833:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org:443
2025-11-30 22:03:40,954:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 1063
2025-11-30 22:03:40,954:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Mon, 01 Dec 2025 05:03:40 GMT
Content-Type: application/json
Content-Length: 1063
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "IFzSw0-p2Cc": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
  "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "profiles": {
      "classic": "https://letsencrypt.org/docs/profiles#classic",
      "shortlived": "https://letsencrypt.org/docs/profiles#shortlived (not yet generally available)",
      "tlsclient": "https://letsencrypt.org/docs/profiles#tlsclient",
      "tlsserver": "https://letsencrypt.org/docs/profiles#tlsserver"
    },
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.6-August-18-2025.pdf",
    "website": "https://letsencrypt.org"
  },
  "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
  "renewalInfo": "https://acme-v02.api.letsencrypt.org/acme/renewal-info",
  "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
}
2025-11-30 22:03:40,955:DEBUG:certbot._internal.display.obj:Notifying user: Renewing an existing certificate for *.cerberus.ca and cerberus.ca
2025-11-30 22:03:41,038:DEBUG:acme.client:Requesting fresh nonce
2025-11-30 22:03:41,039:DEBUG:acme.client:Sending HEAD request to https://acme-v02.api.letsencrypt.org/acme/new-nonce.
2025-11-30 22:03:41,076:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "HEAD /acme/new-nonce HTTP/1.1" 200 0
2025-11-30 22:03:41,076:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Mon, 01 Dec 2025 05:03:41 GMT
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: zahUfOdG458fjGJ1eeIUI2zEft1W9djh8c-S5nO-JKrerBm8jxI
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800


2025-11-30 22:03:41,076:DEBUG:acme.client:Storing nonce: zahUfOdG458fjGJ1eeIUI2zEft1W9djh8c-S5nO-JKrerBm8jxI
2025-11-30 22:03:41,077:DEBUG:acme.client:JWS payload:
b'{\n  "identifiers": [\n    {\n      "type": "dns",\n      "value": "*.cerberus.ca"\n    },\n    {\n      "type": "dns",\n      "value": "cerberus.ca"\n    }\n  ]\n}'
2025-11-30 22:03:41,078:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/new-order:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvNTA5MzQ4ODAiLCAibm9uY2UiOiAiemFoVWZPZEc0NThmakdKMWVlSVVJMnpFZnQxVzlkamg4Yy1TNW5PLUpLcmVyQm04anhJIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9uZXctb3JkZXIifQ",
  "signature": "c7ImipgK0XzllVsHtDi3jGSXk3ViYj5vh98F67u-plLsTFffAVIjl9P4Ar1T4NmT1syAqftZLpOvV2dJl4t2zYvXAGaJqSRlNXsdgHsjcxztv0VEiD5AgNXyZeWZjjJ-UL7WuEvjtnw3zB4RbyZ5ocOoxwm6QHNYnWmvFAd4AxUhm6xiP_4Bu9NzqHz7_LIiMmmLSrhf02MNIewxW7s9-sLregdI33IH8jMR9d5rSVUJ2T_KmbO8O3lksaYBL-nMLNyTQdhNIi1uSJ6k4RiXB6-fGWKdaULEp7Z_meeskSl8FIvn39_zb8yGe2wvCLLJA4kCul3fYnaRhn6MLYndnw",
  "payload": "ewogICJpZGVudGlmaWVycyI6IFsKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwKICAgICAgInZhbHVlIjogIiouY2VyYmVydXMuY2EiCiAgICB9LAogICAgewogICAgICAidHlwZSI6ICJkbnMiLAogICAgICAidmFsdWUiOiAiY2VyYmVydXMuY2EiCiAgICB9CiAgXQp9"
}
2025-11-30 22:03:41,134:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/new-order HTTP/1.1" 201 483
2025-11-30 22:03:41,134:DEBUG:acme.client:Received response:
HTTP 201
Server: nginx
Date: Mon, 01 Dec 2025 05:03:41 GMT
Content-Type: application/json
Content-Length: 483
Connection: keep-alive
Boulder-Requester: 50934880
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Location: https://acme-v02.api.letsencrypt.org/acme/order/50934880/453678309796
Replay-Nonce: jkzIQkhd2IBSZqVoC4Pj4jFqSfmFSloTRIEVLcLgBA6v6FTLbuY
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "status": "pending",
  "expires": "2025-12-06T09:46:23Z",
  "identifiers": [
    {
      "type": "dns",
      "value": "*.cerberus.ca"
    },
    {
      "type": "dns",
      "value": "cerberus.ca"
    }
  ],
  "authorizations": [
    "https://acme-v02.api.letsencrypt.org/acme/authz/50934880/620066867126",
    "https://acme-v02.api.letsencrypt.org/acme/authz/50934880/620066867136"
  ],
  "finalize": "https://acme-v02.api.letsencrypt.org/acme/finalize/50934880/453678309796"
}
2025-11-30 22:03:41,134:DEBUG:acme.client:Storing nonce: jkzIQkhd2IBSZqVoC4Pj4jFqSfmFSloTRIEVLcLgBA6v6FTLbuY
2025-11-30 22:03:41,135:DEBUG:acme.client:JWS payload:
b''
2025-11-30 22:03:41,135:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz/50934880/620066867126:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvNTA5MzQ4ODAiLCAibm9uY2UiOiAiamt6SVFraGQySUJTWnFWb0M0UGo0akZxU2ZtRlNsb1RSSUVWTGNMZ0JBNnY2RlRMYnVZIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei81MDkzNDg4MC82MjAwNjY4NjcxMjYifQ",
  "signature": "oydO0cgsx19CssI3zmyTePJ1jqCjG670ysc3O871-XzaIiJvaWJPkUJ2Hf9cQOikE-zWW0cxz6_y3SBnUVphOXcRxwx3tb0Psu5zyL6kUHj4SUQLRnO6QpUAQmmLwauTwn5ZbhoTe3pdU40pMHHH-NISyqj5k3H07KxF7z6JvcsFh1gj7r7-847OpYkv4jP6OvgownWTzcdP01bGHjN2_G-9yNtPdkFbYcGiJgEY0UvjfDtgkZILKxkS2aO7xFBVh7QS-W97yvXIiJVCKj0HJIZY6UGnizxV_r-F0xjO6kfn9R9DqOmTpzwMbOAaY9ezCcD3AxTJwMcgTvzBrfvnPw",
  "payload": ""
}
2025-11-30 22:03:41,175:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz/50934880/620066867126 HTTP/1.1" 200 391
2025-11-30 22:03:41,176:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Mon, 01 Dec 2025 05:03:41 GMT
Content-Type: application/json
Content-Length: 391
Connection: keep-alive
Boulder-Requester: 50934880
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: jkzIQkhdok3kMggLZe7O9_RrkmszC-I298V1Omu1jGIQ6smOQGY
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "cerberus.ca"
  },
  "status": "pending",
  "expires": "2025-12-06T09:46:23Z",
  "challenges": [
    {
      "type": "dns-01",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall/50934880/620066867126/rZ-6TQ",
      "status": "pending",
      "token": "8rVe4J-EiGFpTD4I2SQHi-9QoZRtcR0BZTPI-O-Lxy8"
    }
  ],
  "wildcard": true
}
2025-11-30 22:03:41,176:DEBUG:acme.client:Storing nonce: jkzIQkhdok3kMggLZe7O9_RrkmszC-I298V1Omu1jGIQ6smOQGY
2025-11-30 22:03:41,176:DEBUG:acme.client:JWS payload:
b''
2025-11-30 22:03:41,177:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz/50934880/620066867136:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvNTA5MzQ4ODAiLCAibm9uY2UiOiAiamt6SVFraGRvazNrTWdnTFplN085X1Jya21zekMtSTI5OFYxT211MWpHSVE2c21PUUdZIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei81MDkzNDg4MC82MjAwNjY4NjcxMzYifQ",
  "signature": "FHG8ioznJWQ8hicFgyc_mLKTxewSmTlTtO7HTp4MX7XRm5O82pPQ0gggpFR8mED4CYvPScaSFwXoTMpf1z76JqMnDxtUQZXQQm15VX7sLnPb3z_OR4-U51kLEQ7ez3joN78vXWeEYvU2X9Tk6bCejD9U2ZHyrbZ2WJzj9tvvKCLkeTS2lvjTdeDXt0WYq3-rFDN80NNIc1lSwiK9b2WfxH4Wm2YP82EZTUCsggQGOdtgjEtd-SHJcO4lFSwf_hVXi8Wwv_PBYCIDQ67mmzfFW4JeqA4SGWbL2dJlU6xQpjrvSp9kWVb-HXahtdmncfTZxrGM3eLgR8O78BMA3-0ANQ",
  "payload": ""
}
2025-11-30 22:03:41,217:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz/50934880/620066867136 HTTP/1.1" 200 813
2025-11-30 22:03:41,217:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Mon, 01 Dec 2025 05:03:41 GMT
Content-Type: application/json
Content-Length: 813
Connection: keep-alive
Boulder-Requester: 50934880
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: zahUfOdGSkcq9Is-UolC6qWiTSZsDGvlxt20loI_kug7j22tcKY
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "cerberus.ca"
  },
  "status": "pending",
  "expires": "2025-12-06T09:46:23Z",
  "challenges": [
    {
      "type": "tls-alpn-01",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall/50934880/620066867136/b0tq6w",
      "status": "pending",
      "token": "VXlBbPDzGj0SA89AuihNiI8HCUEoDXtIwWl1BEFDd9w"
    },
    {
      "type": "dns-01",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall/50934880/620066867136/iSbsgQ",
      "status": "pending",
      "token": "VXlBbPDzGj0SA89AuihNiI8HCUEoDXtIwWl1BEFDd9w"
    },
    {
      "type": "http-01",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall/50934880/620066867136/mxlivQ",
      "status": "pending",
      "token": "VXlBbPDzGj0SA89AuihNiI8HCUEoDXtIwWl1BEFDd9w"
    }
  ]
}
2025-11-30 22:03:41,217:DEBUG:acme.client:Storing nonce: zahUfOdGSkcq9Is-UolC6qWiTSZsDGvlxt20loI_kug7j22tcKY
2025-11-30 22:03:41,218:DEBUG:acme.challenges:tls-alpn-01 was not recognized, full message: {'type': 'tls-alpn-01', 'url': 'https://acme-v02.api.letsencrypt.org/acme/chall/50934880/620066867136/b0tq6w', 'status': 'pending', 'token': 'VXlBbPDzGj0SA89AuihNiI8HCUEoDXtIwWl1BEFDd9w'}
2025-11-30 22:03:41,218:INFO:certbot._internal.auth_handler:Performing the following challenges:
2025-11-30 22:03:41,218:INFO:certbot._internal.auth_handler:dns-01 challenge for cerberus.ca
2025-11-30 22:03:41,218:INFO:certbot._internal.auth_handler:dns-01 challenge for cerberus.ca
2025-11-30 22:03:41,226:DEBUG:urllib3.util.retry:Converted retries value: 5 -> Retry(total=5, connect=None, read=None, redirect=None, status=None)
2025-11-30 22:03:41,227:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): api.cloudflare.com:443
2025-11-30 22:03:41,291:DEBUG:urllib3.connectionpool:https://api.cloudflare.com:443 "GET /client/v4/zones?name=cerberus.ca&per_page=1 HTTP/1.1" 429 5720
2025-11-30 22:03:41,291:DEBUG:urllib3.util.retry:Incremented Retry for (url='/client/v4/zones?name=cerberus.ca&per_page=1'): Retry(total=4, connect=None, read=None, redirect=None, status=None)
2025-11-30 22:03:41,291:DEBUG:urllib3.connectionpool:Retry: /client/v4/zones?name=cerberus.ca&per_page=1
2025-11-30 22:03:41,302:DEBUG:urllib3.connectionpool:https://api.cloudflare.com:443 "GET /client/v4/zones?name=cerberus.ca&per_page=1 HTTP/1.1" 429 5720
2025-11-30 22:03:41,303:DEBUG:urllib3.util.retry:Incremented Retry for (url='/client/v4/zones?name=cerberus.ca&per_page=1'): Retry(total=3, connect=None, read=None, redirect=None, status=None)
2025-11-30 22:03:41,303:DEBUG:urllib3.connectionpool:Retry: /client/v4/zones?name=cerberus.ca&per_page=1
2025-11-30 22:03:41,313:DEBUG:urllib3.connectionpool:https://api.cloudflare.com:443 "GET /client/v4/zones?name=cerberus.ca&per_page=1 HTTP/1.1" 429 5720
2025-11-30 22:03:41,313:DEBUG:urllib3.util.retry:Incremented Retry for (url='/client/v4/zones?name=cerberus.ca&per_page=1'): Retry(total=2, connect=None, read=None, redirect=None, status=None)
2025-11-30 22:03:41,314:DEBUG:urllib3.connectionpool:Retry: /client/v4/zones?name=cerberus.ca&per_page=1
2025-11-30 22:03:41,323:DEBUG:urllib3.connectionpool:https://api.cloudflare.com:443 "GET /client/v4/zones?name=cerberus.ca&per_page=1 HTTP/1.1" 429 5720
2025-11-30 22:03:41,324:DEBUG:urllib3.util.retry:Incremented Retry for (url='/client/v4/zones?name=cerberus.ca&per_page=1'): Retry(total=1, connect=None, read=None, redirect=None, status=None)
2025-11-30 22:03:41,324:DEBUG:urllib3.connectionpool:Retry: /client/v4/zones?name=cerberus.ca&per_page=1
2025-11-30 22:03:41,335:DEBUG:urllib3.connectionpool:https://api.cloudflare.com:443 "GET /client/v4/zones?name=cerberus.ca&per_page=1 HTTP/1.1" 429 5720
2025-11-30 22:03:41,336:DEBUG:urllib3.util.retry:Incremented Retry for (url='/client/v4/zones?name=cerberus.ca&per_page=1'): Retry(total=0, connect=None, read=None, redirect=None, status=None)
2025-11-30 22:03:41,336:DEBUG:urllib3.connectionpool:Retry: /client/v4/zones?name=cerberus.ca&per_page=1
2025-11-30 22:03:41,350:DEBUG:urllib3.connectionpool:https://api.cloudflare.com:443 "GET /client/v4/zones?name=cerberus.ca&per_page=1 HTTP/1.1" 429 5720
2025-11-30 22:03:41,351:DEBUG:certbot_dns_cloudflare._internal.dns_cloudflare:Unrecognised CloudFlareAPIError while finding zone_id: 429 HTTP response code 429. Continuing with next zone guess...
2025-11-30 22:03:41,361:DEBUG:urllib3.connectionpool:https://api.cloudflare.com:443 "GET /client/v4/zones?name=ca&per_page=1 HTTP/1.1" 429 5720
2025-11-30 22:03:41,361:DEBUG:urllib3.util.retry:Incremented Retry for (url='/client/v4/zones?name=ca&per_page=1'): Retry(total=4, connect=None, read=None, redirect=None, status=None)
2025-11-30 22:03:41,361:DEBUG:urllib3.connectionpool:Retry: /client/v4/zones?name=ca&per_page=1
2025-11-30 22:03:41,371:DEBUG:urllib3.connectionpool:https://api.cloudflare.com:443 "GET /client/v4/zones?name=ca&per_page=1 HTTP/1.1" 429 5720
2025-11-30 22:03:41,371:DEBUG:urllib3.util.retry:Incremented Retry for (url='/client/v4/zones?name=ca&per_page=1'): Retry(total=3, connect=None, read=None, redirect=None, status=None)
2025-11-30 22:03:41,372:DEBUG:urllib3.connectionpool:Retry: /client/v4/zones?name=ca&per_page=1
2025-11-30 22:03:41,382:DEBUG:urllib3.connectionpool:https://api.cloudflare.com:443 "GET /client/v4/zones?name=ca&per_page=1 HTTP/1.1" 429 5720
2025-11-30 22:03:41,383:DEBUG:urllib3.util.retry:Incremented Retry for (url='/client/v4/zones?name=ca&per_page=1'): Retry(total=2, connect=None, read=None, redirect=None, status=None)
2025-11-30 22:03:41,383:DEBUG:urllib3.connectionpool:Retry: /client/v4/zones?name=ca&per_page=1
2025-11-30 22:03:41,394:DEBUG:urllib3.connectionpool:https://api.cloudflare.com:443 "GET /client/v4/zones?name=ca&per_page=1 HTTP/1.1" 429 5720
2025-11-30 22:03:41,394:DEBUG:urllib3.util.retry:Incremented Retry for (url='/client/v4/zones?name=ca&per_page=1'): Retry(total=1, connect=None, read=None, redirect=None, status=None)
2025-11-30 22:03:41,394:DEBUG:urllib3.connectionpool:Retry: /client/v4/zones?name=ca&per_page=1
2025-11-30 22:03:41,404:DEBUG:urllib3.connectionpool:https://api.cloudflare.com:443 "GET /client/v4/zones?name=ca&per_page=1 HTTP/1.1" 429 5720
2025-11-30 22:03:41,404:DEBUG:urllib3.util.retry:Incremented Retry for (url='/client/v4/zones?name=ca&per_page=1'): Retry(total=0, connect=None, read=None, redirect=None, status=None)
2025-11-30 22:03:41,405:DEBUG:urllib3.connectionpool:Retry: /client/v4/zones?name=ca&per_page=1
2025-11-30 22:03:41,411:DEBUG:urllib3.connectionpool:https://api.cloudflare.com:443 "GET /client/v4/zones?name=ca&per_page=1 HTTP/1.1" 429 5720
2025-11-30 22:03:41,411:DEBUG:certbot_dns_cloudflare._internal.dns_cloudflare:Unrecognised CloudFlareAPIError while finding zone_id: 429 HTTP response code 429. Continuing with next zone guess...
2025-11-30 22:03:41,412:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/usr/local/lib/python3.10/dist-packages/certbot/_internal/auth_handler.py", line 84, in handle_authorizations
    resps = self.auth.perform(achalls)
  File "/usr/local/lib/python3.10/dist-packages/certbot/plugins/dns_common.py", line 78, in perform
    self._perform(domain, validation_domain_name, validation)
  File "/usr/local/lib/python3.10/dist-packages/certbot_dns_cloudflare/_internal/dns_cloudflare.py", line 75, in _perform
    self._get_cloudflare_client().add_txt_record(domain, validation_name, validation, self.ttl)
  File "/usr/local/lib/python3.10/dist-packages/certbot_dns_cloudflare/_internal/dns_cloudflare.py", line 120, in add_txt_record
    zone_id = self._find_zone_id(domain)
  File "/usr/local/lib/python3.10/dist-packages/certbot_dns_cloudflare/_internal/dns_cloudflare.py", line 233, in _find_zone_id
    raise errors.PluginError('Unable to determine zone_id for {0} using zone names: '
certbot.errors.PluginError: Unable to determine zone_id for cerberus.ca using zone names: ['cerberus.ca', 'ca']. The error from Cloudflare was: 429 HTTP response code 429.

2025-11-30 22:03:41,412:DEBUG:certbot._internal.error_handler:Calling registered functions
2025-11-30 22:03:41,412:INFO:certbot._internal.auth_handler:Cleaning up challenges
2025-11-30 22:03:41,418:DEBUG:urllib3.util.retry:Converted retries value: 5 -> Retry(total=5, connect=None, read=None, redirect=None, status=None)
2025-11-30 22:03:41,419:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): api.cloudflare.com:443
2025-11-30 22:03:41,483:DEBUG:urllib3.connectionpool:https://api.cloudflare.com:443 "GET /client/v4/zones?name=cerberus.ca&per_page=1 HTTP/1.1" 429 5720
2025-11-30 22:03:41,483:DEBUG:urllib3.util.retry:Incremented Retry for (url='/client/v4/zones?name=cerberus.ca&per_page=1'): Retry(total=4, connect=None, read=None, redirect=None, status=None)
2025-11-30 22:03:41,483:DEBUG:urllib3.connectionpool:Retry: /client/v4/zones?name=cerberus.ca&per_page=1
2025-11-30 22:03:41,489:DEBUG:urllib3.connectionpool:https://api.cloudflare.com:443 "GET /client/v4/zones?name=cerberus.ca&per_page=1 HTTP/1.1" 429 5720
2025-11-30 22:03:41,489:DEBUG:urllib3.util.retry:Incremented Retry for (url='/client/v4/zones?name=cerberus.ca&per_page=1'): Retry(total=3, connect=None, read=None, redirect=None, status=None)
2025-11-30 22:03:41,489:DEBUG:urllib3.connectionpool:Retry: /client/v4/zones?name=cerberus.ca&per_page=1
2025-11-30 22:03:41,499:DEBUG:urllib3.connectionpool:https://api.cloudflare.com:443 "GET /client/v4/zones?name=cerberus.ca&per_page=1 HTTP/1.1" 429 5720
2025-11-30 22:03:41,499:DEBUG:urllib3.util.retry:Incremented Retry for (url='/client/v4/zones?name=cerberus.ca&per_page=1'): Retry(total=2, connect=None, read=None, redirect=None, status=None)
2025-11-30 22:03:41,499:DEBUG:urllib3.connectionpool:Retry: /client/v4/zones?name=cerberus.ca&per_page=1
2025-11-30 22:03:41,509:DEBUG:urllib3.connectionpool:https://api.cloudflare.com:443 "GET /client/v4/zones?name=cerberus.ca&per_page=1 HTTP/1.1" 429 5720
2025-11-30 22:03:41,509:DEBUG:urllib3.util.retry:Incremented Retry for (url='/client/v4/zones?name=cerberus.ca&per_page=1'): Retry(total=1, connect=None, read=None, redirect=None, status=None)
2025-11-30 22:03:41,509:DEBUG:urllib3.connectionpool:Retry: /client/v4/zones?name=cerberus.ca&per_page=1
2025-11-30 22:03:41,517:DEBUG:urllib3.connectionpool:https://api.cloudflare.com:443 "GET /client/v4/zones?name=cerberus.ca&per_page=1 HTTP/1.1" 429 5720
2025-11-30 22:03:41,517:DEBUG:urllib3.util.retry:Incremented Retry for (url='/client/v4/zones?name=cerberus.ca&per_page=1'): Retry(total=0, connect=None, read=None, redirect=None, status=None)
2025-11-30 22:03:41,517:DEBUG:urllib3.connectionpool:Retry: /client/v4/zones?name=cerberus.ca&per_page=1
2025-11-30 22:03:41,527:DEBUG:urllib3.connectionpool:https://api.cloudflare.com:443 "GET /client/v4/zones?name=cerberus.ca&per_page=1 HTTP/1.1" 429 5720
2025-11-30 22:03:41,528:DEBUG:certbot_dns_cloudflare._internal.dns_cloudflare:Unrecognised CloudFlareAPIError while finding zone_id: 429 HTTP response code 429. Continuing with next zone guess...
2025-11-30 22:03:41,535:DEBUG:urllib3.connectionpool:https://api.cloudflare.com:443 "GET /client/v4/zones?name=ca&per_page=1 HTTP/1.1" 429 5720
2025-11-30 22:03:41,535:DEBUG:urllib3.util.retry:Incremented Retry for (url='/client/v4/zones?name=ca&per_page=1'): Retry(total=4, connect=None, read=None, redirect=None, status=None)
2025-11-30 22:03:41,535:DEBUG:urllib3.connectionpool:Retry: /client/v4/zones?name=ca&per_page=1
2025-11-30 22:03:41,543:DEBUG:urllib3.connectionpool:https://api.cloudflare.com:443 "GET /client/v4/zones?name=ca&per_page=1 HTTP/1.1" 429 5720
2025-11-30 22:03:41,543:DEBUG:urllib3.util.retry:Incremented Retry for (url='/client/v4/zones?name=ca&per_page=1'): Retry(total=3, connect=None, read=None, redirect=None, status=None)
2025-11-30 22:03:41,543:DEBUG:urllib3.connectionpool:Retry: /client/v4/zones?name=ca&per_page=1
2025-11-30 22:03:41,558:DEBUG:urllib3.connectionpool:https://api.cloudflare.com:443 "GET /client/v4/zones?name=ca&per_page=1 HTTP/1.1" 429 5720
2025-11-30 22:03:41,559:DEBUG:urllib3.util.retry:Incremented Retry for (url='/client/v4/zones?name=ca&per_page=1'): Retry(total=2, connect=None, read=None, redirect=None, status=None)
2025-11-30 22:03:41,559:DEBUG:urllib3.connectionpool:Retry: /client/v4/zones?name=ca&per_page=1
2025-11-30 22:03:41,567:DEBUG:urllib3.connectionpool:https://api.cloudflare.com:443 "GET /client/v4/zones?name=ca&per_page=1 HTTP/1.1" 429 5720
2025-11-30 22:03:41,567:DEBUG:urllib3.util.retry:Incremented Retry for (url='/client/v4/zones?name=ca&per_page=1'): Retry(total=1, connect=None, read=None, redirect=None, status=None)
2025-11-30 22:03:41,567:DEBUG:urllib3.connectionpool:Retry: /client/v4/zones?name=ca&per_page=1
2025-11-30 22:03:41,577:DEBUG:urllib3.connectionpool:https://api.cloudflare.com:443 "GET /client/v4/zones?name=ca&per_page=1 HTTP/1.1" 429 5720
2025-11-30 22:03:41,577:DEBUG:urllib3.util.retry:Incremented Retry for (url='/client/v4/zones?name=ca&per_page=1'): Retry(total=0, connect=None, read=None, redirect=None, status=None)
2025-11-30 22:03:41,578:DEBUG:urllib3.connectionpool:Retry: /client/v4/zones?name=ca&per_page=1
2025-11-30 22:03:41,587:DEBUG:urllib3.connectionpool:https://api.cloudflare.com:443 "GET /client/v4/zones?name=ca&per_page=1 HTTP/1.1" 429 5720
2025-11-30 22:03:41,587:DEBUG:certbot_dns_cloudflare._internal.dns_cloudflare:Unrecognised CloudFlareAPIError while finding zone_id: 429 HTTP response code 429. Continuing with next zone guess...
2025-11-30 22:03:41,588:DEBUG:certbot_dns_cloudflare._internal.dns_cloudflare:Encountered error finding zone_id during deletion: Unable to determine zone_id for cerberus.ca using zone names: ['cerberus.ca', 'ca']. The error from Cloudflare was: 429 HTTP response code 429.
2025-11-30 22:03:41,595:DEBUG:urllib3.util.retry:Converted retries value: 5 -> Retry(total=5, connect=None, read=None, redirect=None, status=None)
2025-11-30 22:03:41,595:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): api.cloudflare.com:443
2025-11-30 22:03:41,957:DEBUG:urllib3.connectionpool:https://api.cloudflare.com:443 "GET /client/v4/zones?name=cerberus.ca&per_page=1 HTTP/1.1" 200 None
2025-11-30 22:03:41,958:DEBUG:certbot_dns_cloudflare._internal.dns_cloudflare:Found zone_id of 51d832a32cd9e4a2cf63256c0762c059 for cerberus.ca using name cerberus.ca
2025-11-30 22:03:42,121:DEBUG:urllib3.connectionpool:https://api.cloudflare.com:443 "GET /client/v4/zones/51d832a32cd9e4a2cf63256c0762c059/dns_records?type=TXT&name=_acme-challenge.cerberus.ca&content=kw_AyiirujdkHHeMZAUvhMdI14DHBHTj5y8-4lce34E&per_page=1 HTTP/1.1" 200 None
2025-11-30 22:03:42,122:DEBUG:certbot_dns_cloudflare._internal.dns_cloudflare:Unable to find TXT record.
2025-11-30 22:03:42,122:DEBUG:certbot_dns_cloudflare._internal.dns_cloudflare:TXT record not found; no cleanup needed.
2025-11-30 22:03:42,124:ERROR:certbot._internal.renewal:Failed to renew certificate cerberus.ca with error: Unable to determine zone_id for cerberus.ca using zone names: ['cerberus.ca', 'ca']. The error from Cloudflare was: 429 HTTP response code 429.
2025-11-30 22:03:42,126:DEBUG:certbot._internal.renewal:Traceback was:
Traceback (most recent call last):
  File "/usr/local/lib/python3.10/dist-packages/certbot/_internal/renewal.py", line 711, in handle_renewal_request
    main.renew_cert(lineage_config, plugins, renewal_candidate)
  File "/usr/local/lib/python3.10/dist-packages/certbot/_internal/main.py", line 1512, in renew_cert
    renewed_lineage = _get_and_save_cert(le_client, config, lineage=lineage)
  File "/usr/local/lib/python3.10/dist-packages/certbot/_internal/main.py", line 129, in _get_and_save_cert
    renewal.renew_cert(config, domains, le_client, lineage)
  File "/usr/local/lib/python3.10/dist-packages/certbot/_internal/renewal.py", line 564, in renew_cert
    new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key)
  File "/usr/local/lib/python3.10/dist-packages/certbot/_internal/client.py", line 427, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/usr/local/lib/python3.10/dist-packages/certbot/_internal/client.py", line 505, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort)
  File "/usr/local/lib/python3.10/dist-packages/certbot/_internal/auth_handler.py", line 84, in handle_authorizations
    resps = self.auth.perform(achalls)
  File "/usr/local/lib/python3.10/dist-packages/certbot/plugins/dns_common.py", line 78, in perform
    self._perform(domain, validation_domain_name, validation)
  File "/usr/local/lib/python3.10/dist-packages/certbot_dns_cloudflare/_internal/dns_cloudflare.py", line 75, in _perform
    self._get_cloudflare_client().add_txt_record(domain, validation_name, validation, self.ttl)
  File "/usr/local/lib/python3.10/dist-packages/certbot_dns_cloudflare/_internal/dns_cloudflare.py", line 120, in add_txt_record
    zone_id = self._find_zone_id(domain)
  File "/usr/local/lib/python3.10/dist-packages/certbot_dns_cloudflare/_internal/dns_cloudflare.py", line 233, in _find_zone_id
    raise errors.PluginError('Unable to determine zone_id for {0} using zone names: '
certbot.errors.PluginError: Unable to determine zone_id for cerberus.ca using zone names: ['cerberus.ca', 'ca']. The error from Cloudflare was: 429 HTTP response code 429.

2025-11-30 22:03:42,128:DEBUG:certbot._internal.display.obj:Notifying user: 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2025-11-30 22:03:42,129:ERROR:certbot._internal.renewal:All renewals failed. The following certificates could not be renewed:
2025-11-30 22:03:42,130:ERROR:certbot._internal.renewal:  /etc/letsencrypt/live/cerberus.ca/fullchain.pem (failure)
2025-11-30 22:03:42,130:DEBUG:certbot._internal.display.obj:Notifying user: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2025-11-30 22:03:42,130:INFO:certbot.compat.misc:Running post-hook command: systemctl restart apache2 && systemctl restart postfix && systemctl restart saslauthd
2025-11-30 22:03:43,631:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/local/bin/certbot", line 8, in <module>
    sys.exit(main())
  File "/usr/local/lib/python3.10/dist-packages/certbot/main.py", line 18, in main
    return internal_main.main(cli_args)
  File "/usr/local/lib/python3.10/dist-packages/certbot/_internal/main.py", line 1850, in main
    return config.func(config, plugins)
  File "/usr/local/lib/python3.10/dist-packages/certbot/_internal/main.py", line 1600, in renew
    renewal.handle_renewal_request(config)
  File "/usr/local/lib/python3.10/dist-packages/certbot/_internal/renewal.py", line 741, in handle_renewal_request
    raise errors.Error(
certbot.errors.Error: 1 renew failure(s), 0 parse failure(s)
2025-11-30 22:03:43,631:ERROR:certbot._internal.log:1 renew failure(s), 0 parse failure(s)

cerberus.ca.conf:

# renew_before_expiry = 30 days
version = 5.0.0
archive_dir = /etc/letsencrypt/archive/cerberus.ca
cert = /etc/letsencrypt/live/cerberus.ca/cert.pem
privkey = /etc/letsencrypt/live/cerberus.ca/privkey.pem
chain = /etc/letsencrypt/live/cerberus.ca/chain.pem
fullchain = /etc/letsencrypt/live/cerberus.ca/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = <Account ID Here>
pref_challs = dns-01,
authenticator = dns-cloudflare
dns_cloudflare_credentials = /etc/letsencrypt/.secrets/certbot/cloudflare.ini
dns_cloudflare_propagation_seconds = 30
server = https://acme-v02.api.letsencrypt.org/directory
post_hook = systemctl restart apache2 && systemctl restart postfix && systemctl restart saslauthd
key_type = rsa
[acme_renewal_info]
ari_retry_after = 2025-12-01T03:14:54

cloudflare.ini

dns_cloudflare_api_token = <confirmed working token>
dns_cloudflare_zone_id = <confirmed correct zone id>

Any ideas?

2

that's cloudflare's api rejecting to register because of rate limit: how often it try to renew?

1 Like
3

(post deleted by author)

4

The cron job runs twice a day, (cron line is in my original post)
Which I believe is what's recommended in the letsencrypt certbot docs?

5

I think some kind of formatting error on cf token/zone id, like excess qoute mark or something

2 Likes
6

The cloudflare.ini file is as below, there are no

# Cloudflare API credentials used by Certbot
dns_cloudflare_api_token = <confirmed working token>
dns_cloudflare_zone_id = <confirmed correct zone id>

The token and zone_id are long alphanumeric strings, with no quotes on them.
I tested the token with curl and it worked and returned the zone_id which matches what's in the file.

7

By default, you get a rate limit of 1200 requests per 5 minutes. This limit is aggregated across all API usages by that user account.

So, unless you use some configuration management software, that might issue lots of request, e.g. Ansible, Terraform, Pulumi, or something similar, the most likely is that your ACME client is being run incorrectly (e.g. invoked multiple times because of error in script or cron job).

2 Likes
8 
2025-11-30 22:03:41,218:INFO:certbot._internal.auth_handler:dns-01 challenge for cerberus.ca
2025-11-30 22:03:41,226:DEBUG:urllib3.util.retry:Converted retries value: 5 -> Retry(total=5, connect=None, read=None, redirect=None, status=None)
2025-11-30 22:03:41,227:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): api.cloudflare.com:443
2025-11-30 22:03:41,291:DEBUG:urllib3.connectionpool:https://api.cloudflare.com:443 "GET /client/v4/zones?name=cerberus.ca&per_page=1 HTTP/1.1" 429 5720
2025-11-30 22:03:41,291:DEBUG:urllib3.util.retry:Incremented Retry for (url='/client/v4/zones?name=cerberus.ca&per_page=1'): Retry(total=4, connect=None, read=None, redirect=None, status=None)
2025-11-30 22:03:41,291:DEBUG:urllib3.connectionpool:Retry: /client/v4/zones?name=cerberus.ca&per_page=1
2025-11-30 22:03:41,302:DEBUG:urllib3.connectionpool:https://api.cloudflare.com:443 "GET /client/v4/zones?name=cerberus.ca&per_page=1 HTTP/1.1" 429 5720

for some reason he's getting 429 from cloudflare api, not let's encrypt.
I think he'd get better help from https://community.cloudflare.com/c/application-performance/dns/7 , not us.

2 Likes
9

Thank you, I don't think I have any reason to be rate limited by cloudflare either, I don't have anything else hitting their endpoint on a regular basis either that I can think of. But I appreciate you pointing me to their community.

Just like back in September last time I had to renew, despite the automatic renewal failing for several days, and my first attempts at manual renewing failing, eventually my manual attempts succeeded. I think I will have to follow up over on the cloudflare community though, because I don't really want to have to go through this every time my certificate needs renewing.

1 Like
10

Are you sure you don't have any other ACME Client running? Perhaps you set something up as a test and it is misbehaving? Or some other service accessing the Cloudflare API (like a DDNS service or DNS monitoring tool)? If so that means Certbot isn't the cause of the problem just a victim, if you will.

The Certbot log you posted doesn't show an unusual number of requests. Do you see any unusual Certbot logs in /var/log/letsencrypt

If not it further points to it being some other service. As suggested, perhaps the Cloudflare community can better help identify what that might be

3 Likes
11

I have no dynamic DNS, and no DNS monitoring. I don't see any evidence of another certbot instance running. And the log file only shows the requests that I am aware of.

It really is a bit of a mystery. That said, I'm starting to think that cloudflare in general is not happy with the IP from my server. When I was on vacation recently I had my VPN routing all my traffic out through my server, and I couldn't log into the cloudflare dashboard, nor could I pass any cloudflare captchas on any website.

So this could be related to that as well. I think I will have to head over to their community and see if I can narrow things down any further.

1 Like
12

If you are sure you have no other API usage outside Certbot, I'd recommend you to rotate API keys and API tokens in Cloudflare dashboard (bonus points for changing password too), in case they might be compromised, and used by uninvited guest.

While IP per se is no longer a strong signal for determining trustworthiness (the defences have shifted from IP blockade towards bot traffic detection), there might be something related to unusual traffic patterns coming from either your VPS or firewall/NAT. There might also be something unusual in the devices/software you use like niche browser, or disabled features (e.g. JavaScript).

3 Likes
13

While I understand what you are saying about bot detection, it is none of those things because the exact same traffic from a different host is fine, it's only traffic that goes through that host that is flagged.

I've asked for help on the cloudflare community as well now. Unfortunately they aren't as helpful as over here as neither of my topics have had any response at all.

14

I don't want to go much into detail, since it's Let's Encrypt forum, not Cloudflare, but you might try to replicate your problem by signing up a domain to Cloudflare, and see if you would be blocked by doing traffic to it. The benefit would be that you could have a look into Security Analytics, and try to correlate the underlying product/rule/etc that triggered the block.

If you want to follow up, then DM me.

3 Likes