Hey everyone! Hopefully someone can help me here...I totally understand the implications of this error and what it means, however, I do not understand why I am getting it. I am running the NGINX Proxy Manager in Docker on my QNAP and have Certificates for 7 domains/subdomains. I understand the limit is 50 so I do not understand why it says I reached the limited of failed authorizations...anyone any idea where this is coming from?
I ran this command:
certbot certonly --non-interactive --config "/etc/letsencrypt.ini" --cert-name "npm-24" --agree-tos --authenticator webroot --email "mail@sellure.de" --preferred-challenges "dns,http" --domains "cloud.sellure.de"
It produced this output:
Command failed: certbot certonly --non-interactive --config "/etc/letsencrypt.ini" --cert-name "npm-24" --agree-tos --authenticator webroot --email "mail@sellure.de" --preferred-challenges "dns,http" --domains "cloud.sellure.de"
Saving debug log to /var/log/letsencrypt/letsencrypt.log
An unexpected error occurred:
There were too many requests of a given type :: Error creating new order :: too many failed authorizations recently: see Rate Limits - Let's Encrypt
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
My web server is (include version):
Nginx
The operating system my web server runs on is (include version):
Docker (on QTS)
My hosting provider, if applicable, is:
ionos
I can login to a root shell on my machine (yes or no, or I don't know):
yes
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.19.0
The rate limit error you see is for 5 failed attempts within an hour. You need to review why that certbot command is failing. I suggest using the --dry-run or --staging option to test your command until it works. https://letsencrypt.org/docs/rate-limits/
I see you got quite a few certs for other subdomains. So, you should review what is different with this attempt.
This command uses --webroot but without a required -w path and also trying to use the DNS challenge. This is not a workable combination. To use DNS challenge you must use a DNS plugin or manual. See the Certbot docs about that here: https://certbot.eff.org/docs/using.html
If webroot is a good option for you, you might consider getting multiple names in one cert with a command such as this:
Note that the options are --webroot and -w, not --webroot and --w. (In fact, -w is the short form of --webroot-path, which is extremely rarely written out in full.) I fully agree that when you use --webroot you normally need to supply a -w option, and also that --webroot isn't suitable for DNS challenge type.
Some more information about the different challenge types and how Certbot supports them:
Hello @schoen & @MikeMcQ
this is amazing, so much information! You two Cleary know exactly what you're talking about! Unfortunately I don't
I am just getting started with this and am really trying to understand how ll of this works! So the situation is that I installed NGINX Proxy Manager in a Docker which is a container that does all of that certbot stuff build-in https://nginxproxymanager.com
I tried certbot renew --dry-run
and got the following response:
Processing /etc/letsencrypt/renewal/npm-7.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Simulating renewal of an existing certificate for passwords.sellure.de
Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: xx.sellure.de
Type: unauthorized
Detail: Invalid response from http://xx.sellure.de/.well-known/acme-challenge/sMtJ9SRaZOhISzAcgEWwS2HU88fcP5yBi_R6eulu-S0 [2606:4700:3033::6815:16ad]: "<!DOCTYPE html>\n<!--[if lt IE 7]> <html class=\"no-js ie6 oldie\" lang=\"en-US\"> <![endif]-->\n<!--[if IE 7]> <html class=\"no-js "
Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.
Failed to renew certificate npm-7 with error: Some challenges have failed.
I feel like this is caused by Cloudflare...could this be?
This project system you chose looks fairly popular. It even advertises built-in certs for Lets Encrypt - cool. You should be able to find advice on other setup issues from their various activity and support channels. I have never used that system so am hesitant to get involved with other environment setup questions.
yes! I learned how to get wildcard working with cloudflare integration!! Thank you so much for your help and support Its not working yet for what I am trying to achieve but I believe that's not a certificate issue
Its super weird because I set it up, and got like 7 or 8 subdomains certified without any issues, and wanted to do another one like 5-6 days later and it didn't work anymore. But I feel like with the wildcard, its easier to organize anyway! Also its probably more secure because it doesnt directly expose the used subdomains correct? How can I delete those certificates though?
