Cannot create certificate: too many failed authorizations recently

Hey everyone! Hopefully someone can help me here...I totally understand the implications of this error and what it means, however, I do not understand why I am getting it. I am running the NGINX Proxy Manager in Docker on my QNAP and have Certificates for 7 domains/subdomains. I understand the limit is 50 so I do not understand why it says I reached the limited of failed authorizations...anyone any idea where this is coming from?

My domain is: sellure.de

I ran this command:
certbot certonly --non-interactive --config "/etc/letsencrypt.ini" --cert-name "npm-24" --agree-tos --authenticator webroot --email "mail@sellure.de" --preferred-challenges "dns,http" --domains "cloud.sellure.de"

It produced this output:
Command failed: certbot certonly --non-interactive --config "/etc/letsencrypt.ini" --cert-name "npm-24" --agree-tos --authenticator webroot --email "mail@sellure.de" --preferred-challenges "dns,http" --domains "cloud.sellure.de"
Saving debug log to /var/log/letsencrypt/letsencrypt.log
An unexpected error occurred:
There were too many requests of a given type :: Error creating new order :: too many failed authorizations recently: see Rate Limits - Let's Encrypt
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version):
Nginx

The operating system my web server runs on is (include version):
Docker (on QTS)

My hosting provider, if applicable, is:
ionos

I can login to a root shell on my machine (yes or no, or I don't know):
yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.19.0

@VincenzoK Welcome to the community.

The rate limit error you see is for 5 failed attempts within an hour. You need to review why that certbot command is failing. I suggest using the --dry-run or --staging option to test your command until it works.
https://letsencrypt.org/docs/rate-limits/

I see you got quite a few certs for other subdomains. So, you should review what is different with this attempt.

This command uses --webroot but without a required -w path and also trying to use the DNS challenge. This is not a workable combination. To use DNS challenge you must use a DNS plugin or manual. See the Certbot docs about that here:
https://certbot.eff.org/docs/using.html

If webroot is a good option for you, you might consider getting multiple names in one cert with a command such as this:

certbot certonly --webroot -w /var/www/example -d www.example.com -d example.com -w /var/www/other -d other.example.net -d another.other.example.net

This sample command is better described in the docs I linked.

Oh, I also see your DNS is setup for IPv4 and IPv6. But, I cannot reach your server with IPv6 which Certbot will prefer for --webroot challenges.

curl -6 cloud.sellure.de
curl: (7) Couldn't connect to server

The https://letsdebug.net website can be very helpful.

Update: Changed wrong --w description to -w thanks

5 Likes

Note that the options are --webroot and -w, not --webroot and --w. (In fact, -w is the short form of --webroot-path, which is extremely rarely written out in full.) I fully agree that when you use --webroot you normally need to supply a -w option, and also that --webroot isn't suitable for DNS challenge type.

Some more information about the different challenge types and how Certbot supports them:

https://certbot.eff.org/docs/using.html#getting-certificates-and-choosing-plugins

6 Likes

Hello @schoen & @MikeMcQ
this is amazing, so much information! You two Cleary know exactly what you're talking about! Unfortunately I don't :frowning:
I am just getting started with this and am really trying to understand how ll of this works! So the situation is that I installed NGINX Proxy Manager in a Docker which is a container that does all of that certbot stuff build-in https://nginxproxymanager.com

I tried certbot renew --dry-run
and got the following response:

Processing /etc/letsencrypt/renewal/npm-7.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Simulating renewal of an existing certificate for passwords.sellure.de

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: xx.sellure.de
  Type:   unauthorized
  Detail: Invalid response from http://xx.sellure.de/.well-known/acme-challenge/sMtJ9SRaZOhISzAcgEWwS2HU88fcP5yBi_R6eulu-S0 [2606:4700:3033::6815:16ad]: "<!DOCTYPE html>\n<!--[if lt IE 7]> <html class=\"no-js ie6 oldie\" lang=\"en-US\"> <![endif]-->\n<!--[if IE 7]>    <html class=\"no-js "

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Failed to renew certificate npm-7 with error: Some challenges have failed.

I feel like this is caused by Cloudflare...could this be?

2 Likes

@VincenzoK I see that you issued a wildcard cert - nice work. You must have sorted out the DNS challenge. I guess our work here is done :slight_smile:

(I saw the new cert at crt.sh | sellure.de)

This project system you chose looks fairly popular. It even advertises built-in certs for Lets Encrypt - cool. You should be able to find advice on other setup issues from their various activity and support channels. I have never used that system so am hesitant to get involved with other environment setup questions.

3 Likes

yes! I learned how to get wildcard working with cloudflare integration!! Thank you so much for your help and support :slight_smile: Its not working yet for what I am trying to achieve but I believe that's not a certificate issue :slight_smile:
Its super weird because I set it up, and got like 7 or 8 subdomains certified without any issues, and wanted to do another one like 5-6 days later and it didn't work anymore. But I feel like with the wildcard, its easier to organize anyway! Also its probably more secure because it doesnt directly expose the used subdomains correct? How can I delete those certificates though?

2 Likes

You are very welcome.

You cannot delete certs from the Certificate Transparency Log.

That's a feature - not a bug.

Obfuscation is not a great security tool anyway. Work at hardening your servers if that is concern.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.