Challenge creation issue and pending authorization rate limit

We set up a system which automatically renews our certificate using DNS challenge trough the Let’s Encrypt API.

We recently got issues while creating new certificate challenges with a rate limit error.

Because we only have ~50 active certificate and the pending authorizations limit is set to 300, we supposed our code was creating “zombie” challenges without the need.

After some investigation, the only clue we found was a malformed domain name for a certificate with two dots: www…domain.com

This throws a DNS Label is too short error on challenge creation, and the challenge was never created.

It looks like whenever the challenge creation fail, the pending authorization counter is incremented anyway.

Is this true? If true, is this a bug or a feature? Why? How to manage it?

Thanks.

Hi @Soullivaneuh,

Is this a 100% custom ACME client or did you build your system on top of an existing ACME library or client? Is the source code available for review?

I don't believe this is true. You can trace the path of a NewAuthorization request through the WFE to the RA where it checks whether the identifier is one we're willing to issue for before it creates challenges or the pending authorization. The PA's WillingToIssue function is what ultimately generates the DNS Label is too short error you are seeing.

Can you share more about why you believe the challenge isn't created but the authorization is? Perhaps you have more logs available to share?

Hello @cpu,

The code logic is internal and can’t be fully accessed.

We use the nexylan/nexycrypt library and you can see an application example of how we get the DNS label is too short error: https://github.com/nexylan/nexycrypt/blob/le-issue-31426/issue.php

First, can you please confirm this process does not increase the pending authorizations rate counter?

Now I’ll try to explain the process form the beginning to the end when we add a domain (and subdomains) on our SSL management system:

• We try to get the needed challenges with acme/new-authz. If it fails, we try it again on the next cron call.
• If we have the DNS challenge, we change the needed records on our DNS server
• We internally check if our records are properly modified and dispatched with PHP dns_get_record. BTW, can we know which DNS server you use for DNS challenge validation on your side?
• If the internal check succeeds, we submit the challenge validation to your API.
• If it succeeds, we generate the certificate. Otherwise, we go back to the beginning and create a new challenge, because the old one seems to not be usable after a fail.

Is at clear enough for you? Any clue on this? Don’t hesitate to ask for more information!

Thanks for your help.

Hi @Soullivaneuh, I will try and take a quick read through the linked code when I can find the time. I'm not a PHP developer by trade so I'd encourage you to find second opinions

Boulder picks one of the authoritative DNS servers for the domain at random. We don't use a public resolver but go straight to your authoritative DNS.

What happens if this check fails? You've already created an authorization but you haven't yet submitted the challenge validation to the API. That would leave a pending authorization laying around wouldn't it?

Apologies for the delayed back/forth. It's a busy week

No problem for the delay, this is already great to have an answer!

Yes, but the pending authorization itself is not abandonned. If the internal DNS check fails, we just wait the next cron command launch to check again with the same pending authorization. We do it at each run until the DNS is good. Next, we submit the validation to your API.

Do you log authorization URLs when you create them and when you POST them to be checked? It might be useful to compare the two and see if you can identify which authorizations are "leaked" and stay pending. If you know which authorizations were abandoned it might be easier to trace down why.

Hi @cpu,

We don’t have full logs of that right now but I can set it up and give you an extract.

Is it safe to post raw URLs here?

BTW, we changed our private key for now and didn’t get the problem for now, but this issue should go back soon…

It should be safe to post the authz URLs here as long as you're OK with exposing the domains (which would be in certificate transparency logs already). If you want to be extra cautious you can email them to me: cpu <at> letsencrypt.org

thanks for the update.

@cpu would this kind of logs be enough?

[2017-04-14 11:00:05] nexy_crypt.INFO: Request directory {"key-change":"https://acme-staging.api.letsencrypt.org/acme/key-change","new-authz":"https://acme-staging.api.letsencrypt.org/acme/new-authz","new-cert":"https://acme-staging.api.letsencrypt.org/acme/new-cert","new-reg":"https://acme-staging.api.letsencrypt.org/acme/new-reg","revoke-cert":"https://acme-staging.api.letsencrypt.org/acme/revoke-cert"} []
[2017-04-14 11:00:06] nexy_crypt.ERROR: Request acme/new-reg {"type":"urn:acme:error:malformed","detail":"Registration key is already in use","status":409} []
[2017-04-14 11:00:06] nexy_crypt.INFO: Request https://acme-staging.api.letsencrypt.org/acme/reg/1857149 {"id":1857149,"key":{"kty":"RSA","n":"weCbatjsh5N4jJVdu5DdHRIX2cYNcVTyM11FhyW-I-Dqdc5o8La43gHx6ExpIEQpDpxUgFPPN3zVbGQ9827_DEUqCd4hqw6VzqIWVkfOcAFSUbHWU3pYs7yrR11DnBMUp9_yZMfh_ypAUJUeadZjNQlsWMNxayB7q1t8GHsv1r-_Q0rLABj7tKMHypdC9CNpZ9SEfpk3Dq8zgVPmnGeUTs7SDUEGlA87NVG17QFsHzZ9CgSlg7xe7BWxjDfHo6NfR8YBeqYzU5Bj4MdN2CuUaXeayyPzp72FI-B3IZwPV5xUPLg43GjUq0U4d09D6mTjojhGx_KIbnEFnHIMtbluBQ","e":"AQAB"},"contact":[],"agreement":"https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf","initialIp":"185.31.151.122","createdAt":"2017-04-12T15:18:47Z","Status":"valid"} []
[2017-04-14 11:00:07] nexy_crypt.INFO: Request https://acme-staging.api.letsencrypt.org/acme/reg/1857149 {"id":1857149,"key":{"kty":"RSA","n":"weCbatjsh5N4jJVdu5DdHRIX2cYNcVTyM11FhyW-I-Dqdc5o8La43gHx6ExpIEQpDpxUgFPPN3zVbGQ9827_DEUqCd4hqw6VzqIWVkfOcAFSUbHWU3pYs7yrR11DnBMUp9_yZMfh_ypAUJUeadZjNQlsWMNxayB7q1t8GHsv1r-_Q0rLABj7tKMHypdC9CNpZ9SEfpk3Dq8zgVPmnGeUTs7SDUEGlA87NVG17QFsHzZ9CgSlg7xe7BWxjDfHo6NfR8YBeqYzU5Bj4MdN2CuUaXeayyPzp72FI-B3IZwPV5xUPLg43GjUq0U4d09D6mTjojhGx_KIbnEFnHIMtbluBQ","e":"AQAB"},"contact":[],"agreement":"https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf","initialIp":"185.31.151.122","createdAt":"2017-04-12T15:18:47Z","Status":"valid"} []
[2017-04-14 11:00:07] nexy_crypt.INFO: Request acme/new-authz {"identifier":{"type":"dns","value":"domain67ts.com"},"status":"pending","expires":"2017-04-21T09:00:07.234103881Z","challenges":[{"type":"tls-sni-01","status":"pending","uri":"https://acme-staging.api.letsencrypt.org/acme/challenge/0lZ_goVUoFD7PmOJ4Y0Ip3XagtSx0GktAv_vfBOCMbc/34317542","token":"9bINFctGyQp0TKlENBhfeLyFn3rH26Idn3cH6cVCCmU"},{"type":"dns-01","status":"pending","uri":"https://acme-staging.api.letsencrypt.org/acme/challenge/0lZ_goVUoFD7PmOJ4Y0Ip3XagtSx0GktAv_vfBOCMbc/34317543","token":"RWHIcU1-cnWvVJgd1pnP0IuoyQgyx-y8GP7ytkHSew8"},{"type":"http-01","status":"pending","uri":"https://acme-staging.api.letsencrypt.org/acme/challenge/0lZ_goVUoFD7PmOJ4Y0Ip3XagtSx0GktAv_vfBOCMbc/34317544","token":"L1L2t-7QXhwGDD3kpJSUqjOWsjFKmqSnUrZoI0aaThs"}],"combinations":[[1],[0],[2]]} []
[2017-04-14 11:00:07] nexy_crypt.INFO: Request https://acme-staging.api.letsencrypt.org/acme/reg/1857149 {"id":1857149,"key":{"kty":"RSA","n":"weCbatjsh5N4jJVdu5DdHRIX2cYNcVTyM11FhyW-I-Dqdc5o8La43gHx6ExpIEQpDpxUgFPPN3zVbGQ9827_DEUqCd4hqw6VzqIWVkfOcAFSUbHWU3pYs7yrR11DnBMUp9_yZMfh_ypAUJUeadZjNQlsWMNxayB7q1t8GHsv1r-_Q0rLABj7tKMHypdC9CNpZ9SEfpk3Dq8zgVPmnGeUTs7SDUEGlA87NVG17QFsHzZ9CgSlg7xe7BWxjDfHo6NfR8YBeqYzU5Bj4MdN2CuUaXeayyPzp72FI-B3IZwPV5xUPLg43GjUq0U4d09D6mTjojhGx_KIbnEFnHIMtbluBQ","e":"AQAB"},"contact":[],"agreement":"https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf","initialIp":"185.31.151.122","createdAt":"2017-04-12T15:18:47Z","Status":"valid"} []
[2017-04-14 11:00:07] nexy_crypt.INFO: Request https://acme-staging.api.letsencrypt.org/acme/reg/1857149 {"id":1857149,"key":{"kty":"RSA","n":"weCbatjsh5N4jJVdu5DdHRIX2cYNcVTyM11FhyW-I-Dqdc5o8La43gHx6ExpIEQpDpxUgFPPN3zVbGQ9827_DEUqCd4hqw6VzqIWVkfOcAFSUbHWU3pYs7yrR11DnBMUp9_yZMfh_ypAUJUeadZjNQlsWMNxayB7q1t8GHsv1r-_Q0rLABj7tKMHypdC9CNpZ9SEfpk3Dq8zgVPmnGeUTs7SDUEGlA87NVG17QFsHzZ9CgSlg7xe7BWxjDfHo6NfR8YBeqYzU5Bj4MdN2CuUaXeayyPzp72FI-B3IZwPV5xUPLg43GjUq0U4d09D6mTjojhGx_KIbnEFnHIMtbluBQ","e":"AQAB"},"contact":[],"agreement":"https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf","initialIp":"185.31.151.122","createdAt":"2017-04-12T15:18:47Z","Status":"valid"} []

Note: This is not relevant logs, just for example.

This seems good (particularly the new-authz response being logged). I don't see any POST requests to initiate a challenge verification but I would make sure that you have logging for those as well, likely it was just excluded in your example.

Indeed I forgot this part. I’ll update it, thanks!

[2017-04-18 16:44:45] nexy_crypt.INFO: [GET] directory {"key-change":"https://acme-v01.api.letsencrypt.org/acme/key-change","new-authz":"https://acme-v01.api.letsencrypt.org/acme/new-authz","new-cert":"https://acme-v01.api.letsencrypt.org/acme/new-cert","new-reg":"https://acme-v01.api.letsencrypt.org/acme/new-reg","revoke-cert":"https://acme-v01.api.letsencrypt.org/acme/revoke-cert"} []
[2017-04-18 16:44:46] nexy_crypt.ERROR: [POST] acme/new-reg {"type":"urn:acme:error:malformed","detail":"Registration key is already in use","status":409} []
[2017-04-18 16:44:46] nexy_crypt.INFO: [POST] https://acme-v01.api.letsencrypt.org/acme/reg/11955242 {"id":11955242,"key":{"kty":"RSA","n":"tUUQpU90LyxEx3rxjB7QazkAJAjpsBCJndf7UYDNspTN5xC7scyRFRCAKESU1jlaziuNSsQXLv0VV6KKpFgjOucaa5CLALY_g3jCY_b85_412hU5tu4LHg8xH2hLe0aAMRmDuFYsJNLLxRLkm6pgfwBrVhP98dpWQCKe4YpsOaKw1n71NqS7XMoEQ1PWegwqkV8zeH1lbC_pByyUtNZDBoTHsirH1OVcvy9rXz2sP1A51OIr5PrczM7mIa5nXqQ2YelnqFpVcem5auDjvCl62dRrAx2yAxy3l7V_T3ZmcJCOeQLUX93buR5f-3VaSBZxl9IDxYjUw1O80b-YhZUpoQ","e":"AQAB"},"contact":[],"agreement":"https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf","initialIp":"2a00:c70:2:210:1:5252:0:1370","createdAt":"2017-04-05T13:14:23Z","Status":"valid"} []
[2017-04-18 16:44:46] nexy_crypt.INFO: [POST] https://acme-v01.api.letsencrypt.org/acme/reg/11955242 {"id":11955242,"key":{"kty":"RSA","n":"tUUQpU90LyxEx3rxjB7QazkAJAjpsBCJndf7UYDNspTN5xC7scyRFRCAKESU1jlaziuNSsQXLv0VV6KKpFgjOucaa5CLALY_g3jCY_b85_412hU5tu4LHg8xH2hLe0aAMRmDuFYsJNLLxRLkm6pgfwBrVhP98dpWQCKe4YpsOaKw1n71NqS7XMoEQ1PWegwqkV8zeH1lbC_pByyUtNZDBoTHsirH1OVcvy9rXz2sP1A51OIr5PrczM7mIa5nXqQ2YelnqFpVcem5auDjvCl62dRrAx2yAxy3l7V_T3ZmcJCOeQLUX93buR5f-3VaSBZxl9IDxYjUw1O80b-YhZUpoQ","e":"AQAB"},"contact":[],"agreement":"https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf","initialIp":"2a00:c70:2:210:1:5252:0:1370","createdAt":"2017-04-05T13:14:23Z","Status":"valid"} []
[2017-04-18 16:44:46] nexy_crypt.INFO: [POST] acme/new-authz {"identifier":{"type":"dns","value":"sdffgneruigbeugregusbdnf.fr"},"status":"pending","expires":"2017-04-25T14:44:46.760555391Z","challenges":[{"type":"dns-01","status":"pending","uri":"https://acme-v01.api.letsencrypt.org/acme/challenge/4DoTzf3qW6j9elKnwF-qanG3EQeqkCEvlnBuRj-7A00/1044745606","token":"7FutRh8qq0MEj6Zl9rcGF2b9c6_PO1HgFq_de-pVip0"},{"type":"tls-sni-01","status":"pending","uri":"https://acme-v01.api.letsencrypt.org/acme/challenge/4DoTzf3qW6j9elKnwF-qanG3EQeqkCEvlnBuRj-7A00/1044745607","token":"_qX_wlE7GWSAcvC4nczU0uESCWo6ph3xsPfTKuijJr0"},{"type":"http-01","status":"pending","uri":"https://acme-v01.api.letsencrypt.org/acme/challenge/4DoTzf3qW6j9elKnwF-qanG3EQeqkCEvlnBuRj-7A00/1044745608","token":"-G-bowaKUiWU-XKlBznf-YQAqmwh2uQY_t7loDYnOcI"}],"combinations":[[2],[1],[0]]} []
[2017-04-18 16:44:47] nexy_crypt.INFO: [POST] acme/new-authz {"identifier":{"type":"dns","value":"www.sdffgneruigbeugregusbdnf.fr"},"status":"pending","expires":"2017-04-25T14:44:46.972985857Z","challenges":[{"type":"dns-01","status":"pending","uri":"https://acme-v01.api.letsencrypt.org/acme/challenge/nQQPLcc_K-M-J779ch9VhoqxX8pETT_cUVnlhMkTudA/1044745615","token":"p2XSQFhrtX8JTkDUOr_pY_XMyGYL9cU2aRhkLIxbo2E"},{"type":"http-01","status":"pending","uri":"https://acme-v01.api.letsencrypt.org/acme/challenge/nQQPLcc_K-M-J779ch9VhoqxX8pETT_cUVnlhMkTudA/1044745616","token":"W9iYKGFgDUR7GvzHm8HiALjrX2DyUuIfrU6PdB6RsFM"},{"type":"tls-sni-01","status":"pending","uri":"https://acme-v01.api.letsencrypt.org/acme/challenge/nQQPLcc_K-M-J779ch9VhoqxX8pETT_cUVnlhMkTudA/1044745617","token":"RtdiNccAtlwtLTIt3ZXt5g7RQnT5Zpdv39jpVhrvbk4"}],"combinations":[[0],[1],[2]]} []
[2017-04-18 16:44:47] nexy_crypt.INFO: [POST] https://acme-v01.api.letsencrypt.org/acme/reg/11955242 {"id":11955242,"key":{"kty":"RSA","n":"tUUQpU90LyxEx3rxjB7QazkAJAjpsBCJndf7UYDNspTN5xC7scyRFRCAKESU1jlaziuNSsQXLv0VV6KKpFgjOucaa5CLALY_g3jCY_b85_412hU5tu4LHg8xH2hLe0aAMRmDuFYsJNLLxRLkm6pgfwBrVhP98dpWQCKe4YpsOaKw1n71NqS7XMoEQ1PWegwqkV8zeH1lbC_pByyUtNZDBoTHsirH1OVcvy9rXz2sP1A51OIr5PrczM7mIa5nXqQ2YelnqFpVcem5auDjvCl62dRrAx2yAxy3l7V_T3ZmcJCOeQLUX93buR5f-3VaSBZxl9IDxYjUw1O80b-YhZUpoQ","e":"AQAB"},"contact":[],"agreement":"https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf","initialIp":"2a00:c70:2:210:1:5252:0:1370","createdAt":"2017-04-05T13:14:23Z","Status":"valid"} []
[2017-04-18 16:44:47] nexy_crypt.INFO: [POST] https://acme-v01.api.letsencrypt.org/acme/reg/11955242 {"id":11955242,"key":{"kty":"RSA","n":"tUUQpU90LyxEx3rxjB7QazkAJAjpsBCJndf7UYDNspTN5xC7scyRFRCAKESU1jlaziuNSsQXLv0VV6KKpFgjOucaa5CLALY_g3jCY_b85_412hU5tu4LHg8xH2hLe0aAMRmDuFYsJNLLxRLkm6pgfwBrVhP98dpWQCKe4YpsOaKw1n71NqS7XMoEQ1PWegwqkV8zeH1lbC_pByyUtNZDBoTHsirH1OVcvy9rXz2sP1A51OIr5PrczM7mIa5nXqQ2YelnqFpVcem5auDjvCl62dRrAx2yAxy3l7V_T3ZmcJCOeQLUX93buR5f-3VaSBZxl9IDxYjUw1O80b-YhZUpoQ","e":"AQAB"},"contact":[],"agreement":"https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf","initialIp":"2a00:c70:2:210:1:5252:0:1370","createdAt":"2017-04-05T13:14:23Z","Status":"valid"} []
[2017-04-18 16:44:47] nexy_crypt.INFO: [POST] https://acme-v01.api.letsencrypt.org/acme/reg/11955242 {"id":11955242,"key":{"kty":"RSA","n":"tUUQpU90LyxEx3rxjB7QazkAJAjpsBCJndf7UYDNspTN5xC7scyRFRCAKESU1jlaziuNSsQXLv0VV6KKpFgjOucaa5CLALY_g3jCY_b85_412hU5tu4LHg8xH2hLe0aAMRmDuFYsJNLLxRLkm6pgfwBrVhP98dpWQCKe4YpsOaKw1n71NqS7XMoEQ1PWegwqkV8zeH1lbC_pByyUtNZDBoTHsirH1OVcvy9rXz2sP1A51OIr5PrczM7mIa5nXqQ2YelnqFpVcem5auDjvCl62dRrAx2yAxy3l7V_T3ZmcJCOeQLUX93buR5f-3VaSBZxl9IDxYjUw1O80b-YhZUpoQ","e":"AQAB"},"contact":[],"agreement":"https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf","initialIp":"2a00:c70:2:210:1:5252:0:1370","createdAt":"2017-04-05T13:14:23Z","Status":"valid"} []
[2017-04-18 16:44:47] nexy_crypt.INFO: [POST] https://acme-v01.api.letsencrypt.org/acme/reg/11955242 {"id":11955242,"key":{"kty":"RSA","n":"tUUQpU90LyxEx3rxjB7QazkAJAjpsBCJndf7UYDNspTN5xC7scyRFRCAKESU1jlaziuNSsQXLv0VV6KKpFgjOucaa5CLALY_g3jCY_b85_412hU5tu4LHg8xH2hLe0aAMRmDuFYsJNLLxRLkm6pgfwBrVhP98dpWQCKe4YpsOaKw1n71NqS7XMoEQ1PWegwqkV8zeH1lbC_pByyUtNZDBoTHsirH1OVcvy9rXz2sP1A51OIr5PrczM7mIa5nXqQ2YelnqFpVcem5auDjvCl62dRrAx2yAxy3l7V_T3ZmcJCOeQLUX93buR5f-3VaSBZxl9IDxYjUw1O80b-YhZUpoQ","e":"AQAB"},"contact":[],"agreement":"https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf","initialIp":"2a00:c70:2:210:1:5252:0:1370","createdAt":"2017-04-05T13:14:23Z","Status":"valid"} []

Does it look like better for you @cpu?

I see POSTs to new-authz and new-reg but not any POSTs to the authz for the challenge initiation.

Could you please elaborate? I was meaning this:

[2017-04-18 16:44:46] nexy_crypt.INFO: [POST] acme/new-authz {"identifier":{"type":"dns","value":"sdffgneruigbeugregusbdnf.fr"},"status":"pending","expires":"2017-04-25T14:44:46.760555391Z","challenges":[{"type":"dns-01","status":"pending","uri":"https://acme-v01.api.letsencrypt.org/acme/challenge/4DoTzf3qW6j9elKnwF-qanG3EQeqkCEvlnBuRj-7A00/1044745606","token":"7FutRh8qq0MEj6Zl9rcGF2b9c6_PO1HgFq_de-pVip0"},{"type":"tls-sni-01","status":"pending","uri":"https://acme-v01.api.letsencrypt.org/acme/challenge/4DoTzf3qW6j9elKnwF-qanG3EQeqkCEvlnBuRj-7A00/1044745607","token":"_qX_wlE7GWSAcvC4nczU0uESCWo6ph3xsPfTKuijJr0"},{"type":"http-01","status":"pending","uri":"https://acme-v01.api.letsencrypt.org/acme/challenge/4DoTzf3qW6j9elKnwF-qanG3EQeqkCEvlnBuRj-7A00/1044745608","token":"-G-bowaKUiWU-XKlBznf-YQAqmwh2uQY_t7loDYnOcI"}],"combinations":[[2],[1],[0]]} []
[2017-04-18 16:44:47] nexy_crypt.INFO: [POST] acme/new-authz {"identifier":{"type":"dns","value":"www.sdffgneruigbeugregusbdnf.fr"},"status":"pending","expires":"2017-04-25T14:44:46.972985857Z","challenges":[{"type":"dns-01","status":"pending","uri":"https://acme-v01.api.letsencrypt.org/acme/challenge/nQQPLcc_K-M-J779ch9VhoqxX8pETT_cUVnlhMkTudA/1044745615","token":"p2XSQFhrtX8JTkDUOr_pY_XMyGYL9cU2aRhkLIxbo2E"},{"type":"http-01","status":"pending","uri":"https://acme-v01.api.letsencrypt.org/acme/challenge/nQQPLcc_K-M-J779ch9VhoqxX8pETT_cUVnlhMkTudA/1044745616","token":"W9iYKGFgDUR7GvzHm8HiALjrX2DyUuIfrU6PdB6RsFM"},{"type":"tls-sni-01","status":"pending","uri":"https://acme-v01.api.letsencrypt.org/acme/challenge/nQQPLcc_K-M-J779ch9VhoqxX8pETT_cUVnlhMkTudA/1044745617","token":"RtdiNccAtlwtLTIt3ZXt5g7RQnT5Zpdv39jpVhrvbk4"}],"combinations":[[0],[1],[2]]} []

BTW, quick question which may explain my issue : When a dns-challenge has the invalid status like this : https://acme-v01.api.letsencrypt.org/acme/challenge/AgP72EtC1oe2tPG1Bh7yFWdPjr8cL9BIsiUEzmTavUc/1049157258

Should I call acme/new-authz API to get a new challenge or just try to re-validate it later when DNS propagation will be good?

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.