My domain is: test.overdrive.com and several others
I ran this command: certbot certonly --dns-route53 --domains "app.test.overdrive.com,test.meet.soraapp.com,test.biglibraryread.com,company.test.overdrive.com,test.digitalbookmobile.com,test.digipalooza.com,discuss.test.biglibraryread.com,discuss.test.togetherweread.com,test.everyonereads.com,test.readanebookday.com,test.professionalbooknerds.com,resources.test.overdrive.com,webstandards.test.overdrive.com,test.overdrivesteve.com,test.perspectivesonreading.com"
It produced this output:
`
Plugins selected: Authenticator dns-route53, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for test.digipalooza.com
dns-01 challenge for webstandards.test.overdrive.com
dns-01 challenge for company.test.overdrive.com
dns-01 challenge for test.overdrivesteve.com
dns-01 challenge for test.perspectivesonreading.com
dns-01 challenge for test.digitalbookmobile.com
dns-01 challenge for discuss.test.biglibraryread.com
dns-01 challenge for resources.test.overdrive.com
dns-01 challenge for test.everyonereads.com
dns-01 challenge for test.biglibraryread.com
dns-01 challenge for app.test.overdrive.com
dns-01 challenge for test.meet.soraapp.com
dns-01 challenge for test.readanebookday.com
dns-01 challenge for test.professionalbooknerds.com
dns-01 challenge for discuss.test.togetherweread.com
Cleaning up challenges
Encountered exception during recovery:
Traceback (most recent call last):
File “/usr/lib/python3/dist-packages/certbot_dns_route53/dns_route53.py”, line 49, in _perform
self._wait_for_change(change_id)
File “/usr/lib/python3/dist-packages/certbot_dns_route53/dns_route53.py”, line 131, in _wait_for_change
response = self.r53.get_change(Id=change_id)
File “/usr/lib/python3/dist-packages/botocore/client.py”, line 324, in _api_call
return self._make_api_call(operation_name, kwargs)
File “/usr/lib/python3/dist-packages/botocore/client.py”, line 622, in _make_api_call
raise error_class(parsed_response, operation_name)
botocore.exceptions.ClientError: An error occurred (Throttling) when calling the GetChange operation (reached max retries: 4): Rate exceeded
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File “/usr/lib/python3/dist-packages/certbot/auth_handler.py”, line 75, in handle_authorizations
resp = self._solve_challenges(aauthzrs)
File “/usr/lib/python3/dist-packages/certbot/auth_handler.py”, line 139, in _solve_challenges
resp = self.auth.perform(all_achalls)
File “/usr/lib/python3/dist-packages/certbot/plugins/dns_common.py”, line 57, in perform
self._perform(domain, validation_domain_name, validation)
File “/usr/lib/python3/dist-packages/certbot_dns_route53/dns_route53.py”, line 52, in _perform
raise errors.PluginError("\n".join([str(e), INSTRUCTIONS]))
certbot.errors.PluginError: An error occurred (Throttling) when calling the GetChange operation (reached max retries: 4): Rate exceeded
To use certbot-dns-route53, configure credentials as described at https://boto3.readthedocs.io/en/latest/guide/configuration.html#best-practices-for-configuring-credentials and add the necessary permissions for Route53 access.
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File “/usr/lib/python3/dist-packages/certbot/error_handler.py”, line 108, in _call_registered
self.funcs-1
File “/usr/lib/python3/dist-packages/certbot/auth_handler.py”, line 323, in _cleanup_challenges
self.auth.cleanup(achalls)
File “/usr/lib/python3/dist-packages/certbot/plugins/dns_common.py”, line 76, in cleanup
self._cleanup(domain, validation_domain_name, validation)
File “/usr/lib/python3/dist-packages/certbot_dns_route53/dns_route53.py”, line 56, in _cleanup
self._change_txt_record(“DELETE”, validation_domain_name, validation)
File “/usr/lib/python3/dist-packages/certbot_dns_route53/dns_route53.py”, line 97, in _change_txt_record
rrecords.remove(challenge)
ValueError: list.remove(x): x not in list
An error occurred (Throttling) when calling the GetChange operation (reached max retries: 4): Rate exceeded
To use certbot-dns-route53, configure credentials as described at https://boto3.readthedocs.io/en/latest/guide/configuration.html#best-practices-for-configuring-credentials and add the necessary permissions for Route53 access.
`
My web server is: (n/a)
The operating system my web server runs on is: (n/a)
My hosting provider is: none for web hosting; AWS Route 53 for DNS hosting
I can login to a root shell on my machine: yes
I’m using a control panel to manage my site: no
The version of my client is: certbot 0.31.0
============
I am attempting to generate a single certificate with SAN entries for about 15 domains. I am using the dns-01 challenge because some of my domains may be wildcards. (In the example above, none are wildcards.) As you may know, AWS’s Route 53 API has a rate limit of 5 requests per second. It seems that the Route 53 plugin is creating, and especially deleting the DNS records too quickly, causing the overall Certbot execution to fail. I am looking for a way to slow down the process to avoid hitting the rate limit.
I am aware of the --dns-route53-propagation-seconds option, described as The number of seconds to wait for DNS to propagate before asking the ACME server to verify the DNS record. (Default: 10) That does not seem like it will help. I need to add delay between several AWS API calls, not between those calls and the call to LE.
There is a related discussion in posting 75259, but it focuses more on a problem with network timeouts, and refers to code that I am not experienced in interpreting.
Is there a way to slow down the Route 53 plugin to stay under the rate limit? If so, can this be done with a Certbot option, or might I need to delve into possible Boto3 configuration, as suggested by the other posting?
This does seem like a problem that I would not be alone in experiencing.
Thanks very much for any answers the community can provide.
Chris Ursich