Certbot Fails - Too many Authorizations


#1

I’m running certbot manually to renew my exchange server iis certificates, so there’s no automation at all in that process.
The renewal is being done on an debian box which i just change the nat mapping to for the process, the renewal list consists of multiple domains and aliases (autodiscover., mail.,…)

So long this methoid was runnining ever since LE was introduced but now it stopped working.

However, as i just tried to renew my certificate this error came up pretty much unexpected:

2017-05-13 22:38:26,408:DEBUG:certbot.main:Root logging level set at 20
2017-05-13 22:38:26,410:INFO:certbot.main:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2017-05-13 22:38:26,410:DEBUG:certbot.main:certbot version: 0.10.2
2017-05-13 22:38:26,411:DEBUG:certbot.main:Arguments: [’–standalone’, ‘-d’, ‘###LONG’##DOMAIN###LIST###’]
2017-05-13 22:38:26,411:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#webroot,PluginEntryPoint#null,PluginEntryPoint#manual,PluginEntryPoint#standalone)
2017-05-13 22:38:26,412:DEBUG:certbot.plugins.selection:Requested authenticator standalone and installer None
2017-05-13 22:38:26,631:DEBUG:certbot.plugins.selection:Single candidate plugin: * standalone
Description: Spin up a temporary webserver
Interfaces: IAuthenticator, IPlugin
Entry point: standalone = certbot.plugins.standalone:Authenticator
Initialized: <certbot.plugins.standalone.Authenticator object at 0x7f0a64775c50>
Prep: True
2017-05-13 22:38:26,632:DEBUG:certbot.plugins.selection:Selected authenticator <certbot.plugins.standalone.Authenticator object at 0x7f0a64775c50> and installer None
2017-05-13 22:38:26,639:DEBUG:certbot.main:Picked account: <Account(54d3c9091fbccb8cd472f73ecd962c7e)>
2017-05-13 22:38:26,640:DEBUG:root:Sending GET request to https://acme-v01.api.letsencrypt.org/directory.
2017-05-13 22:38:26,665:DEBUG:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2017-05-13 22:38:26,871:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v01.api.letsencrypt.org:443 “GET /directory HTTP/1.1” 200 352
2017-05-13 22:38:26,872:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 352
Boulder-Request-Id: #EDIT#
Replay-Nonce: #EDIT#
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Sat, 13 May 2017 22:38:26 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 13 May 2017 22:38:26 GMT
Connection: keep-alive

{
“key-change”: “https://acme-v01.api.letsencrypt.org/acme/key-change”,
“new-authz”: “https://acme-v01.api.letsencrypt.org/acme/new-authz”,
“new-cert”: “https://acme-v01.api.letsencrypt.org/acme/new-cert”,
“new-reg”: “https://acme-v01.api.letsencrypt.org/acme/new-reg”,
“revoke-cert”: “https://acme-v01.api.letsencrypt.org/acme/revoke-cert
}
2017-05-13 22:38:26,963:DEBUG:certbot.storage:Should renew, less than 30 days before certificate expiry 2017-05-28 19:27:00 UTC.
2017-05-13 22:38:26,964:INFO:certbot.renewal:Cert is due for renewal, auto-renewing…
2017-05-13 22:38:26,964:INFO:certbot.main:Renewing an existing certificate
2017-05-13 22:38:26,965:DEBUG:root:Requesting fresh nonce
2017-05-13 22:38:26,965:DEBUG:root:Sending HEAD request to https://acme-v01.api.letsencrypt.org/acme/new-authz.
2017-05-13 22:38:27,151:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v01.api.letsencrypt.org:443 “HEAD /acme/new-authz HTTP/1.1” 405 0
2017-05-13 22:38:27,152:DEBUG:acme.client:Received response:
HTTP 405
Server: nginx
Content-Type: application/problem+json
Content-Length: 91
Allow: POST
Boulder-Request-Id: #EDIT#
Replay-Nonce: #EDIT#
Expires: Sat, 13 May 2017 22:38:27 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 13 May 2017 22:38:27 GMT
Connection: keep-alive

2017-05-13 22:38:27,152:DEBUG:acme.client:Storing nonce: #EDIT#
2017-05-13 22:38:27,153:DEBUG:acme.client:JWS payload:
{
“identifier”: {
“type”: “dns”,
“value”: “exchange.domain.net
},
“resource”: “new-authz”
}
2017-05-13 22:38:27,162:DEBUG:root:Sending POST request to https://acme-v01.api.letsencrypt.org/acme/new-authz:
{
“header”: {
“alg”: “RS256”,
“jwk”: {
“e”: “AQAB”,
“kty”: “RSA”,
“n”: #EDIT#
}
},
“protected”: #EDIT#,
“payload”: #EDIT#
}
2017-05-13 22:38:27,501:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v01.api.letsencrypt.org:443 “POST /acme/new-authz HTTP/1.1” 429 144
2017-05-13 22:38:27,503:DEBUG:acme.client:Received response:
HTTP 429
Server: nginx
Content-Type: application/problem+json
Content-Length: 144
Boulder-Request-Id: #EDIT#
Boulder-Requester: 13643
Replay-Nonce: #EDIT#
Expires: Sat, 13 May 2017 22:38:27 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 13 May 2017 22:38:27 GMT
Connection: close

{
“type”: “urn:acme:error:rateLimited”,
“detail”: “Error creating new authz :: too many currently pending authorizations”,
“status”: 429
}
2017-05-13 22:38:27,503:DEBUG:acme.client:Storing nonce: #EDIT#
2017-05-13 22:38:27,505:DEBUG:certbot.main:Exiting abnormally:
Traceback (most recent call last):
File “/usr/bin/certbot”, line 11, in
load_entry_point(‘certbot==0.10.2’, ‘console_scripts’, ‘certbot’)()
File “/usr/lib/python2.7/dist-packages/certbot/main.py”, line 849, in main
return config.func(config, plugins)
File “/usr/lib/python2.7/dist-packages/certbot/main.py”, line 626, in obtain_cert
action, _ = _auth_from_available(le_client, config, domains, certname, lineage)
File “/usr/lib/python2.7/dist-packages/certbot/main.py”, line 103, in _auth_from_available
renewal.renew_cert(config, domains, le_client, lineage)
File “/usr/lib/python2.7/dist-packages/certbot/renewal.py”, line 296, in renew_cert
new_certr, new_chain, new_key, _ = le_client.obtain_certificate(domains)
File “/usr/lib/python2.7/dist-packages/certbot/client.py”, line 262, in obtain_certificate
self.config.allow_subset_of_names)
File “/usr/lib/python2.7/dist-packages/certbot/auth_handler.py”, line 67, in get_authorizations
domain, self.account.regr.new_authzr_uri)
File “/usr/lib/python2.7/dist-packages/acme/client.py”, line 216, in request_domain_challenges
typ=messages.IDENTIFIER_FQDN, value=domain), new_authzr_uri)
File “/usr/lib/python2.7/dist-packages/acme/client.py”, line 196, in request_challenges
new_authz)
File “/usr/lib/python2.7/dist-packages/acme/client.py”, line 671, in post
return self._post_once(*args, **kwargs)
File “/usr/lib/python2.7/dist-packages/acme/client.py”, line 684, in _post_once
return self._check_response(response, content_type=content_type)
File “/usr/lib/python2.7/dist-packages/acme/client.py”, line 570, in _check_response
raise messages.Error.from_json(jobj)
Error: urn:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new authz :: too many currently pending authorizations


#2

hi @coldisthevoid

review https://letsencrypt.org/docs/rate-limits/

Andrei


#3

hello @ahaw021, i’ve already double checked this.
there is no certbot running, however, parsing trhe logs i’ve come across the fact certbot was triggered 3 days ago cron’d. might result in hitting the rate limit.

accodring to rate-limits:

i dont see why this one hasnt yet expired.

#edit:
i think i found the issue, there are up to 3 pending authz for each certificte, seems like i’d just wait for them to expire


#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.