Cerbtot Hitting Authorization Rate Limits


#1

I created certifs the same way one month ago , it worked fine

first I get 404 errors like below
then I reestablish my http virtual host and I get the error in the title

I retried with --test-cert, same 404 error although my site is accessible

[ edit: I found the 404 issue, my virtual host was not pointing to /var/www/html/gencert
but what about the too many invalid …?]

My domain is: catalog.edenred-qa.be

I ran this command:

sudo certbot certonly -n --webroot -d catalog.edenred-qa.be -w /var/www/html/gencert --cert-path /etc/letsencrypt/live/catalog.edenred-qa.be/ --key-path /etc/letsencrypt/live/catalog.edenred-qa.be

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for catalog.edenred-qa.be
Using the webroot path /var/www/html/gencert for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. catalog.edenred-qa.be (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://catalog.edenred-qa.be/.well-known/acme-challenge/K8ejk8QWVwOZAJBSD46MVSyxP7BQnWDQwJxinh2dlFA: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p"

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: catalog.edenred-qa.be
   Type:   unauthorized
   Detail: Invalid response from
   http://catalog.edenred-qa.be/.well-known/acme-challenge/K8ejk8QWVwOZAJBSD46MVSyxP7BQnWDQwJxinh2dlFA:
   "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
   <html><head>
   <title>404 Not Found</title>
   </head><body>
   <h1>Not Found</h1>
   <p"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address.

now it gives :

   Saving debug log to /var/log/letsencrypt/letsencrypt.log

    Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org

    Obtaining a new certificate

    An unexpected error occurred:

    There were too many requests of a given type :: Error creating new authz :: Too many invalid authorizations recently.

    Please see the logfiles in /var/log/letsencrypt for more details.

My operating system is (include version): debian 8.5

My web server is (include version): apache 2.4

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

cat /var/log/letsencrypt/letsencrypt.log
2017-05-10 09:14:55,158:DEBUG:certbot.main:Root logging level set at 20
2017-05-10 09:14:55,159:INFO:certbot.main:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2017-05-10 09:14:55,160:DEBUG:certbot.main:certbot version: 0.9.3
2017-05-10 09:14:55,160:DEBUG:certbot.main:Arguments: ['-n', '--webroot', '-d', 'catalog.edenred-qa.be', '-w', '/var/www/html/gencert', '--cert-path', '/etc/letsencrypt/live/catalog.edenred-qa.be/', '--key-path', '/etc/letsencrypt/live/catalog.edenred-qa.be']
2017-05-10 09:14:55,161:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#webroot,PluginEntryPoint#null,PluginEntryPoint#manual,PluginEntryPoint#standalone)
2017-05-10 09:14:55,161:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None
2017-05-10 09:14:55,164:DEBUG:certbot.plugins.selection:Single candidate plugin: * webroot
Description: Place files in webroot directory
Interfaces: IAuthenticator, IPlugin
Entry point: webroot = certbot.plugins.webroot:Authenticator
Initialized: <certbot.plugins.webroot.Authenticator object at 0x7ff01ff932d0>
Prep: True
2017-05-10 09:14:55,165:DEBUG:certbot.plugins.selection:Selected authenticator <certbot.plugins.webroot.Authenticator object at 0x7ff01ff932d0> and installer None
2017-05-10 09:14:55,185:DEBUG:certbot.main:Picked account: <Account(346345a7ff0e02e171ef1f424f515311)>
2017-05-10 09:14:55,187:DEBUG:root:Sending GET request to https://acme-v01.api.letsencrypt.org/directory. args: (), kwargs: {}
2017-05-10 09:14:55,189:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2017-05-10 09:14:55,520:DEBUG:requests.packages.urllib3.connectionpool:"GET /directory HTTP/1.1" 200 352
2017-05-10 09:14:55,521:DEBUG:root:Received <Response [200]>. Headers: {'content-length': '352', 'expires': 'Wed, 10 May 2017 09:06:33 GMT', 'boulder-request-id': 'IW-EZ9FeCtrtLCUTqK8I2atXAfxBnKSjXexW0igM3dY', 'strict-transport-security': 'max-age=604800', 'server': 'nginx', 'connection': 'keep-alive', 'pragma': 'no-cache', 'cache-control': 'max-age=0, no-cache, no-store', 'date': 'Wed, 10 May 2017 09:06:33 GMT', 'x-frame-options': 'DENY', 'content-type': 'application/json', 'replay-nonce': 'l59MRx3QK9a81lTinBG6M0wp06SwcT_RlUScQg-mPeg'}. Content: '{\n  "key-change": "https://acme-v01.api.letsencrypt.org/acme/key-change",\n  "new-authz": "https://acme-v01.api.letsencrypt.org/acme/new-authz",\n  "new-cert": "https://acme-v01.api.letsencrypt.org/acme/new-cert",\n  "new-reg": "https://acme-v01.api.letsencrypt.org/acme/new-reg",\n  "revoke-cert": "https://acme-v01.api.letsencrypt.org/acme/revoke-cert"\n}'
2017-05-10 09:14:55,521:DEBUG:acme.client:Received response <Response [200]> (headers: {'content-length': '352', 'expires': 'Wed, 10 May 2017 09:06:33 GMT', 'boulder-request-id': 'IW-EZ9FeCtrtLCUTqK8I2atXAfxBnKSjXexW0igM3dY', 'strict-transport-security': 'max-age=604800', 'server': 'nginx', 'connection': 'keep-alive', 'pragma': 'no-cache', 'cache-control': 'max-age=0, no-cache, no-store', 'date': 'Wed, 10 May 2017 09:06:33 GMT', 'x-frame-options': 'DENY', 'content-type': 'application/json', 'replay-nonce': 'l59MRx3QK9a81lTinBG6M0wp06SwcT_RlUScQg-mPeg'}): '{\n  "key-change": "https://acme-v01.api.letsencrypt.org/acme/key-change",\n  "new-authz": "https://acme-v01.api.letsencrypt.org/acme/new-authz",\n  "new-cert": "https://acme-v01.api.letsencrypt.org/acme/new-cert",\n  "new-reg": "https://acme-v01.api.letsencrypt.org/acme/new-reg",\n  "revoke-cert": "https://acme-v01.api.letsencrypt.org/acme/revoke-cert"\n}'
2017-05-10 09:14:55,529:INFO:certbot.main:Obtaining a new certificate
2017-05-10 09:14:55,529:DEBUG:root:Requesting fresh nonce
2017-05-10 09:14:55,529:DEBUG:root:Sending HEAD request to https://acme-v01.api.letsencrypt.org/acme/new-authz. args: (), kwargs: {}
2017-05-10 09:14:55,737:DEBUG:requests.packages.urllib3.connectionpool:"HEAD /acme/new-authz HTTP/1.1" 405 0
2017-05-10 09:14:55,738:DEBUG:root:Received <Response [405]>. Headers: {'content-length': '91', 'pragma': 'no-cache', 'boulder-request-id': 'dzcb1q1vcdNsr_RkcxgeUaz7Q2KRSuYhJjSxfEv1jyw', 'expires': 'Wed, 10 May 2017 09:06:34 GMT', 'server': 'nginx', 'connection': 'keep-alive', 'allow': 'POST', 'cache-control': 'max-age=0, no-cache, no-store', 'date': 'Wed, 10 May 2017 09:06:34 GMT', 'content-type': 'application/problem+json', 'replay-nonce': 'zENiJLkj5bJfVqEp2itSY52hQQE_2H81C-xQDkYTWPM'}. Content: ''
2017-05-10 09:14:55,739:DEBUG:acme.client:Storing nonce: '\xccCb$\xb9#\xe5\xb2_V\xa1)\xda+Rc\x9d\xa1A\x01?\xd8\x7f5\x0b\xecP\x0eF\x13X\xf3'
2017-05-10 09:14:55,741:DEBUG:acme.jose.json_util:Omitted empty fields: status=None, combinations=None, expires=None, challenges=None
2017-05-10 09:14:55,741:DEBUG:acme.client:Serialized JSON: {"identifier": {"type": "dns", "value": "catalog.edenred-qa.be"}, "resource": "new-authz"}
2017-05-10 09:14:55,743:DEBUG:acme.jose.json_util:Omitted empty fields: x5c=(), crit=(), typ=None, jku=None, cty=None, x5t=None, alg=None, x5tS256=None, x5u=None, kid=None, jwk=None
2017-05-10 09:14:55,748:DEBUG:acme.jose.json_util:Omitted empty fields: x5c=(), crit=(), typ=None, jku=None, nonce=None, cty=None, x5t=None, kid=None, x5tS256=None, x5u=None
2017-05-10 09:14:55,749:DEBUG:root:Sending POST request to https://acme-v01.api.letsencrypt.org/acme/new-authz. args: (), kwargs: {'data': '{"header": {"alg": "RS256", "jwk": {"e": "AQAB", "kty": "RSA", "n": "wY0sa4a85gvdbsOcvY2ngi20-ngetbJs6qTxFEtomXkxSKjULNCt12Vpnj8bw7jX0FnXBBbwOI-Bkwanq_dS5Awy3-Ywr7MYDotK0Jr6dvYBcxqAsp5VwwuTmWmOLzpMLAAeuVUkdfxGoflRDvy7dIMmr8xLuH8NPZxV1PB1uwG-_u1X5Txnq6gaKlOIQcB-tpTS1IDP_-GzYwoOSqIFTZXnxRj-ItaPkXmwQL4NZvIlrg1LuakLUXES_uCImUpMYoIjefLSV3Cz0t0gR4qrVT_fN7TQ2m7-IN6VrdZXnm9H5pJ_wx9gM1r-MloJxOJ6qpgq4vWdUb_dbt2tfc-F9Q"}}, "protected": "eyJub25jZSI6ICJ6RU5pSkxrajViSmZWcUVwMml0U1k1MmhRUUVfMkg4MUMteFFEa1lUV1BNIn0", "payload": "eyJpZGVudGlmaWVyIjogeyJ0eXBlIjogImRucyIsICJ2YWx1ZSI6ICJjYXRhbG9nLmVkZW5yZWQtcWEuYmUifSwgInJlc291cmNlIjogIm5ldy1hdXRoeiJ9", "signature": "JlgRiKOBIPyQkE4ZAGNtdluu-sub9auBRU4Y2pXpKhszy6zrit7r6OMd9X3sfVR8Yqo4EHp1nht1XiDtEr7jimCSaNT3Dx87luSyW4tlSmrAFD0APHeKGFj44Wf44xRh_kNj8JiQE2LpgBLMvNjSsHRiLPBi9wdYtP6KtzP-aWOdnbaliAKKrx9tyVHT7ZMNaOx8wVIOTN3P5zkDqag1cEXIL1xhLR9-2aJ1zf9Zq8oVPMmHYrhiRk7PmUB210SisQbp5Mg_fpi4UW76p0BXrMskGZqif7e8RGYAip7_r3Zpk9bEnmMT2gHtIOogvfTuj23y8twsjjhIW2gWgkPVKg"}'}
2017-05-10 09:14:55,989:DEBUG:requests.packages.urllib3.connectionpool:"POST /acme/new-authz HTTP/1.1" 429 144
2017-05-10 09:14:55,992:DEBUG:root:Received <Response [429]>. Headers: {'content-length': '144', 'boulder-request-id': 'fJJtGm2Zh-MC19y9aZHo_9bspu8zb9OjKg4x89LY7OA', 'expires': 'Wed, 10 May 2017 09:06:34 GMT', 'server': 'nginx', 'cache-control': 'max-age=0, no-cache, no-store', 'connection': 'close', 'pragma': 'no-cache', 'boulder-requester': '8510608', 'date': 'Wed, 10 May 2017 09:06:34 GMT', 'content-type': 'application/problem+json', 'replay-nonce': '-CipAh0SfoH2nZsnS5JlveGbTR0QsgslEbB4yySKsZI'}. Content: '{\n  "type": "urn:acme:error:rateLimited",\n  "detail": "Error creating new authz :: Too many invalid authorizations recently.",\n  "status": 429\n}'
2017-05-10 09:14:55,993:DEBUG:acme.client:Storing nonce: "\xf8(\xa9\x02\x1d\x12~\x81\xf6\x9d\x9b'K\x92e\xbd\xe1\x9bM\x1d\x10\xb2\x0b%\x11\xb0x\xcb$\x8a\xb1\x92"
2017-05-10 09:14:55,993:DEBUG:acme.client:Received response <Response [429]> (headers: {'content-length': '144', 'boulder-request-id': 'fJJtGm2Zh-MC19y9aZHo_9bspu8zb9OjKg4x89LY7OA', 'expires': 'Wed, 10 May 2017 09:06:34 GMT', 'server': 'nginx', 'cache-control': 'max-age=0, no-cache, no-store', 'connection': 'close', 'pragma': 'no-cache', 'boulder-requester': '8510608', 'date': 'Wed, 10 May 2017 09:06:34 GMT', 'content-type': 'application/problem+json', 'replay-nonce': '-CipAh0SfoH2nZsnS5JlveGbTR0QsgslEbB4yySKsZI'}): '{\n  "type": "urn:acme:error:rateLimited",\n  "detail": "Error creating new authz :: Too many invalid authorizations recently.",\n  "status": 429\n}'
2017-05-10 09:14:55,996:DEBUG:certbot.main:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 9, in <module>
    load_entry_point('certbot==0.9.3', 'console_scripts', 'certbot')()
  File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 776, in main
    return config.func(config, plugins)
  File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 563, in obtain_cert
    action, _ = _auth_from_domains(le_client, config, domains, lineage)
  File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 100, in _auth_from_domains
    lineage = le_client.obtain_and_enroll_certificate(domains)
  File "/usr/lib/python2.7/dist-packages/certbot/client.py", line 281, in obtain_and_enroll_certificate
    certr, chain, key, _ = self.obtain_certificate(domains)
  File "/usr/lib/python2.7/dist-packages/certbot/client.py", line 253, in obtain_certificate
    self.config.allow_subset_of_names)
  File "/usr/lib/python2.7/dist-packages/certbot/auth_handler.py", line 68, in get_authorizations
    domain, self.account.regr.new_authzr_uri)
  File "/usr/lib/python2.7/dist-packages/acme/client.py", line 210, in request_domain_challenges
    typ=messages.IDENTIFIER_FQDN, value=domain), new_authzr_uri)
  File "/usr/lib/python2.7/dist-packages/acme/client.py", line 190, in request_challenges
    new_authz)
  File "/usr/lib/python2.7/dist-packages/acme/client.py", line 649, in post
    return self._check_response(response, content_type=content_type)
  File "/usr/lib/python2.7/dist-packages/acme/client.py", line 565, in _check_response
    raise messages.Error.from_json(jobj)
Error: urn:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new authz :: Too many invalid authorizations recently.

#2

ok I found using --cert-test was better but I have to wait a while when I validate my final certificate
dont know why


#3

Hi @phil123456

Review the concept of rate limits: https://letsencrypt.org/docs/rate-limits/

Specifically:

Andrei


#4

I created a certif on another machine using --cert-test, then when it was ok, I removed the option
so I had a working certificate, but for a short period of time (10 minutes?) the certificate was not recognize by the web browser (BAD CERT error)
any idea why is there such a delay when using --cert-test ?


#5

maybe a bad test? I don’t seem to have issues

Andrei


#6

yes becos after 10 minutes it works

got the same issue here Renewal does not work

UNKNOWN ISSUER for around 10 minutes or so, then it works, I was wondering why ?


#7

I don’t know of anything that could account for that kind of error, but if you see it in the future, please save a copy of the certificate from the web browser and then post it here!


#8

ok , I’ll keep this in mind


#9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.