Cannot create certificate: too many failed authorizations recently

Hey everyone! Hopefully someone can help me here...I totally understand the implications of this error and what it means, however, I do not understand why I am getting it. I am running the NGINX Proxy Manager in Docker on my QNAP and have Certificates for 7 domains/subdomains. I understand the limit is 50 so I do not understand why it says I reached the limited of failed authorizations...anyone any idea where this is coming from?

My domain is:

I ran this command:
certbot certonly --non-interactive --config "/etc/letsencrypt.ini" --cert-name "npm-24" --agree-tos --authenticator webroot --email "" --preferred-challenges "dns,http" --domains ""

It produced this output:
Command failed: certbot certonly --non-interactive --config "/etc/letsencrypt.ini" --cert-name "npm-24" --agree-tos --authenticator webroot --email "" --preferred-challenges "dns,http" --domains ""
Saving debug log to /var/log/letsencrypt/letsencrypt.log
An unexpected error occurred:
There were too many requests of a given type :: Error creating new order :: too many failed authorizations recently: see Rate Limits - Let's Encrypt
Ask for help or search for solutions at See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version):

The operating system my web server runs on is (include version):
Docker (on QTS)

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.19.0

@VincenzoK Welcome to the community.

The rate limit error you see is for 5 failed attempts within an hour. You need to review why that certbot command is failing. I suggest using the --dry-run or --staging option to test your command until it works.

I see you got quite a few certs for other subdomains. So, you should review what is different with this attempt.

This command uses --webroot but without a required -w path and also trying to use the DNS challenge. This is not a workable combination. To use DNS challenge you must use a DNS plugin or manual. See the Certbot docs about that here:

If webroot is a good option for you, you might consider getting multiple names in one cert with a command such as this:

certbot certonly --webroot -w /var/www/example -d -d -w /var/www/other -d -d

This sample command is better described in the docs I linked.

Oh, I also see your DNS is setup for IPv4 and IPv6. But, I cannot reach your server with IPv6 which Certbot will prefer for --webroot challenges.

curl -6
curl: (7) Couldn't connect to server

The website can be very helpful.

Update: Changed wrong --w description to -w thanks


Note that the options are --webroot and -w, not --webroot and --w. (In fact, -w is the short form of --webroot-path, which is extremely rarely written out in full.) I fully agree that when you use --webroot you normally need to supply a -w option, and also that --webroot isn't suitable for DNS challenge type.

Some more information about the different challenge types and how Certbot supports them:


Hello @schoen & @MikeMcQ
this is amazing, so much information! You two Cleary know exactly what you're talking about! Unfortunately I don't :frowning:
I am just getting started with this and am really trying to understand how ll of this works! So the situation is that I installed NGINX Proxy Manager in a Docker which is a container that does all of that certbot stuff build-in

I tried certbot renew --dry-run
and got the following response:

Processing /etc/letsencrypt/renewal/npm-7.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Simulating renewal of an existing certificate for

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Type:   unauthorized
  Detail: Invalid response from [2606:4700:3033::6815:16ad]: "<!DOCTYPE html>\n<!--[if lt IE 7]> <html class=\"no-js ie6 oldie\" lang=\"en-US\"> <![endif]-->\n<!--[if IE 7]>    <html class=\"no-js "

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Failed to renew certificate npm-7 with error: Some challenges have failed.

I feel like this is caused by Cloudflare...could this be?


@VincenzoK I see that you issued a wildcard cert - nice work. You must have sorted out the DNS challenge. I guess our work here is done :slight_smile:

(I saw the new cert at |

This project system you chose looks fairly popular. It even advertises built-in certs for Lets Encrypt - cool. You should be able to find advice on other setup issues from their various activity and support channels. I have never used that system so am hesitant to get involved with other environment setup questions.


yes! I learned how to get wildcard working with cloudflare integration!! Thank you so much for your help and support :slight_smile: Its not working yet for what I am trying to achieve but I believe that's not a certificate issue :slight_smile:
Its super weird because I set it up, and got like 7 or 8 subdomains certified without any issues, and wanted to do another one like 5-6 days later and it didn't work anymore. But I feel like with the wildcard, its easier to organize anyway! Also its probably more secure because it doesnt directly expose the used subdomains correct? How can I delete those certificates though?


You are very welcome.

You cannot delete certs from the Certificate Transparency Log.

That's a feature - not a bug.

Obfuscation is not a great security tool anyway. Work at hardening your servers if that is concern.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.